TOSS must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
An XCCDF Rule
Description
<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-253131r991589_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure TOSS to prevent IPv6 ICMP redirect messages from being accepted with the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d":