TOSS must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
An XCCDF Rule
Description
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.
- ID
- SV-253123r991589_rule
- Version
- TOSS-04-040820
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
Configure TOSS to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default with the following command:
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":
net.ipv4.conf.default.send_redirects=0