Check: TOSS-04-040890
Tri-Lab Operating System Stack (TOSS) 4 STIG:
TOSS-04-040890
(in versions v2 r1 through v1 r1)
Title
TOSS must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. (Cat II impact)
Discussion
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Check Content
Verify TOSS will not accept IPv4 ICMP redirect messages. Note: If IPv4 is disabled on the system, this requirement is Not Applicable. Check the value of the default "accept_redirects" variables with the following command: $ sudo sysctl net.ipv4.conf.default.accept_redirects net.ipv4.conf.default.accept_redirects = 0 If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding.
Fix Text
Configure TOSS to prevent IPv4 ICMP redirect messages from being accepted with the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0 If "0" is not the system's default value then add or update the following line in the appropriate file under "/etc/sysctl.d": net.ipv4.conf.default.accept_redirects=0
Additional Identifiers
Rule ID: SV-253130r991589_rule
Vulnerability ID: V-253130
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |