The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-258889 | PHTN-40-000226 | SV-258889r933728_rule | Medium |
| Description |
|---|
| ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. |
| STIG | Date |
|---|---|
| VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide | 2023-10-29 |
Details
| Check Text ( C-62629r933726_chk ) |
|---|
| At the command line, run the following command to verify ICMP secure redirects are not accepted: # /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default).secure_redirects" Expected result: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 If the "secure_redirects" kernel parameters are not set to "0", this is a finding. |
| Fix Text (F-62538r933727_fix) |
|---|
| Navigate to and open: /etc/sysctl.d/zz-stig-hardening.conf Add or update the following lines: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 At the command line, run the following command to load the new configuration: # /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf Note: If the file zz-stig-hardening.conf does not exist, it must be created. |