UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.


Overview

Finding ID Version Rule ID IA Controls Severity
V-217290 SLES-12-030380 SV-217290r603262_rule Medium
Description
Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
STIG Date
SLES 12 Security Technical Implementation Guide 2021-06-14

Details

Check Text ( C-18518r370026_chk )
Verify the SUSE operating system does not accept IPv4 source-routed packets.

Check the value of the accept source route variable with the following command:

# sysctl net.ipv4.icmp_echo_ignore_broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1

If the returned line does not have a value of "1" this is a finding.
Fix Text (F-18516r370027_fix)
Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value):

net.ipv4.icmp_echo_ignore_broadcasts = 1

Run the following command to apply this value:

# sysctl --system