TOSS must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
An XCCDF Rule
Description
<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology. There are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of "IPv6 Node Requirements", which resulted in this difference between IPv4 and IPv6.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-253123r991589_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure TOSS to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default with the following command:
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":