Check: UBTU-16-030590
Canonical Ubuntu 16.04 LTS STIG:
UBTU-16-030590
(in versions v2 r3 through v1 r3)
Title
The Ubuntu operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. (Cat II impact)
Discussion
Internet Control Message Protocol (ICMP) redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
Check Content
Verify the Ubuntu operating system does not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. Check the value of the "all send_redirects" variables with the following command: # sudo sysctl net.ipv4.conf.all.send_redirects net.ipv4.conf.all.send_redirects=0 If the returned line does not have a value of "0", or a line is not returned, this is a finding.
Fix Text
Configure the Ubuntu operating system to not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects with the following command: # sudo sysctl -w net.ipv4.conf.all.send_redirects=0 If "0" is not the system's default value then add or update the following line in "/etc/sysctl.conf" or in the appropriate file under "/etc/sysctl.d": net.ipv4.conf.all.send_redirects=0
Additional Identifiers
Rule ID: SV-215152r610931_rule
Vulnerability ID: V-215152
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |