Check: GEN007860
SUSE Linux Enterprise Server v11 for System z STIG:
GEN007860
(in versions v1 r12 through v1 r9)
Title
The system must ignore IPv6 ICMP redirect messages. (Cat II impact)
Discussion
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Check Content
Verify the system is configured to ignore IPv6 ICMP redirect messages. # cat /proc/sys/net/ipv6/conf/all/accept_redirects If the /proc/sys/net/ipv6/conf/all/accept_redirects entry does not exist because of compliance with GEN007720, this is not a finding. If the returned value is not "0", this is a finding.
Fix Text
Configure the system to ignore IPv6 ICMP redirect messages. Edit "/etc/sysctl.conf" and add a settings for "net.ipv6.conf.default.accept_redirects=0" and "net.ipv6.conf.all.accept_redirects=0". Restart the system for the setting to take effect.
Additional Identifiers
Rule ID: SV-45990r2_rule
Vulnerability ID: V-22550
Group Title: GEN007860
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001551 |
The organization defines approved authorizations for controlling the flow of information between interconnected systems. |
Controls
| Number | Title |
|---|---|
| AC-4 |
Information Flow Enforcement |