Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-257972 | RHEL-09-254015 | SV-257972r991589_rule | Medium |
Description |
---|
An illicit ICMP redirect message could result in a man-in-the-middle attack. |
STIG | Date |
---|---|
Red Hat Enterprise Linux 9 Security Technical Implementation Guide | 2024-06-04 |
Check Text ( C-61713r925901_chk ) |
---|
Verify RHEL 9 ignores IPv6 ICMP redirect messages. Note: If IPv6 is disabled on the system, this requirement is Not Applicable. Check the value of the "accept_redirects" variables with the following command: $ sysctl net.ipv6.conf.all.accept_redirects net.ipv6.conf.all.accept_redirects = 0 If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv6.conf.all.accept_redirects | tail -1 net.ipv6.conf.all.accept_redirects = 0 If "net.ipv6.conf.all.accept_redirects" is not set to "0" or is missing, this is a finding. |
Fix Text (F-61637r925902_fix) |
---|
Configure RHEL 9 to ignore IPv6 ICMP redirect messages. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv6.conf.all.accept_redirects = 0 Load settings from all system configuration files with the following command: $ sudo sysctl --system |