STIGQter: STIG Summary: Oracle Linux 7 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The Oracle Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.

DISA Rule

SV-221880r603260_rule

Vulnerability Number

V-221880

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

OL07-00-040650

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the system not to allow interfaces to perform IPv4 ICMP redirects by default.

Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):

net.ipv4.conf.default.send_redirects = 0

Issue the following command to make the changes take effect:

# sysctl --system

Check Contents

Verify the system does not allow interfaces to perform IPv4 ICMP redirects by default.

# grep 'net.ipv4.conf.default.send_redirects' /etc/sysctl.conf /etc/sysctl.d/*

If "net.ipv4.conf.default.send_redirects" is not configured in the "/etc/sysctl.conf" file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.

Check that the operating system implements the "default send_redirects" variables with the following command:

# /sbin/sysctl -a | grep 'net.ipv4.conf.default.send_redirects'

net.ipv4.conf.default.send_redirects = 0

If the returned line does not have a value of "0", this is a finding.

Vulnerability Number

V-221880

Documentable

False

Rule Version

OL07-00-040650

Severity Override Guidance

Verify the system does not allow interfaces to perform IPv4 ICMP redirects by default.

# grep 'net.ipv4.conf.default.send_redirects' /etc/sysctl.conf /etc/sysctl.d/*

If "net.ipv4.conf.default.send_redirects" is not configured in the "/etc/sysctl.conf" file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.

Check that the operating system implements the "default send_redirects" variables with the following command:

# /sbin/sysctl -a | grep 'net.ipv4.conf.default.send_redirects'

net.ipv4.conf.default.send_redirects = 0

If the returned line does not have a value of "0", this is a finding.

Check Content Reference

M

Target Key

4089

Comments