RHEL 10 must not send Internet Control Message Protocol (ICMP) redirects.

STIG ID: RHEL-10-800190  |  SRG: SRG-OS-000420-GPOS-00186 |  Severity: medium (CAT II)  |  CCI: CCI-002385,CCI-001106 |  Vulnerability Id: V-281351

Vulnerability Discussion

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.

The ability to send ICMP redirects is only appropriate for systems acting as routers.

Satisfies: SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00082

Check

Verify RHEL 10 does not send IPv4 ICMP redirect messages.

Check the value of the "net.ipv4.conf.all.send_redirects" variables with the following command:

$ sudo sysctl net.ipv4.conf.all.send_redirects
net.ipv4.conf.all.send_redirects = 0

If "net.ipv4.conf.all.send_redirects" is not set to "0" and is not documented with the information system security officer as an operational requirement or is missing, this is a finding.

Fix

Configure RHEL 10 to not send IPv4 ICMP redirect messages.

Create a configuration file if it does not already exist:

$ sudo vi /etc/sysctl.d/ipv4_send_redirects.conf

Add the following line to the file:

net.ipv4.conf.all.send_redirects = 0

Reload settings from all system configuration files with the following command:

$ sudo sysctl --system
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.