Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-257972 | RHEL-09-254015 | SV-257972r991589_rule | Medium |
| Description |
|---|
| An illicit ICMP redirect message could result in a man-in-the-middle attack. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 9 Security Technical Implementation Guide | 2024-06-04 |
Details
| Check Text ( C-61713r925901_chk ) |
|---|
| Verify RHEL 9 ignores IPv6 ICMP redirect messages. Note: If IPv6 is disabled on the system, this requirement is Not Applicable. Check the value of the "accept_redirects" variables with the following command: $ sysctl net.ipv6.conf.all.accept_redirects net.ipv6.conf.all.accept_redirects = 0 If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv6.conf.all.accept_redirects | tail -1 net.ipv6.conf.all.accept_redirects = 0 If "net.ipv6.conf.all.accept_redirects" is not set to "0" or is missing, this is a finding. |
| Fix Text (F-61637r925902_fix) |
|---|
| Configure RHEL 9 to ignore IPv6 ICMP redirect messages. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv6.conf.all.accept_redirects = 0 Load settings from all system configuration files with the following command: $ sudo sysctl --system |