Check: PHTN-67-000105
VMware vSphere 6.7 Photon OS STIG:
PHTN-67-000105
(in versions v1 r6 through v1 r1)
Title
The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. (Cat II impact)
Discussion
Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Check Content
At the command line, execute the following command: # /sbin/sysctl -a --pattern ignore_broadcasts Expected result: net.ipv4.icmp_echo_ignore_broadcasts = 1 If the output does not match the expected result, this is a finding.
Fix Text
Open /etc/sysctl.conf with a text editor. Add or update the following line: net.ipv4.icmp_echo_ignore_broadcasts=1 Run the following command to load the new setting: # /sbin/sysctl --load
Additional Identifiers
Rule ID: SV-239176r816658_rule
Vulnerability ID: V-239176
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |