Title

The Ubuntu operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default. (Cat II impact)

Discussion

Internet Control Message Protocol (ICMP) redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.

Check Content

Verify the Ubuntu operating system does not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default. Check the value of the "default send_redirects" variables with the following command: # sudo sysctl net.ipv4.conf.default.send_redirects net.ipv4.conf.default.send_redirects=0 If the returned line does not have a value of "0", or a line is not returned, this is a finding.

Fix Text

Configure the Ubuntu operating system to not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default with the following command: # sudo sysctl -w net.ipv4.conf.default.send_redirects=0 If "0" is not the system's default value then add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d": net.ipv4.conf.default.send_redirects=0

Additional Identifiers

Rule ID: SV-215151r610931_rule

Vulnerability ID: V-215151

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.