Check: PHTN-67-000106
VMware vSphere 6.7 Photon OS STIG:
PHTN-67-000106
(in versions v1 r6 through v1 r1)
Title
The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. (Cat II impact)
Discussion
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Check Content
At the command line, execute the following command: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default|eth.*).accept_redirects" Expected result: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 If the output does not match the expected result, this is a finding. Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "0".
Fix Text
Open /etc/sysctl.conf with a text editor. Add or update the following lines: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 Run the following command to load the new setting: # /sbin/sysctl --load
Additional Identifiers
Rule ID: SV-239177r816660_rule
Vulnerability ID: V-239177
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |