The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-258889 | PHTN-40-000226 | SV-258889r933728_rule | CCI-000366 | medium |
| Description | ||||
| ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. | ||||
| STIG | Date | |||
| VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide | 2023-10-29 | |||
Details
Check Text (C-258889r933728_chk)
At the command line, run the following command to verify ICMP secure redirects are not accepted:
# /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default).secure_redirects"
Expected result:
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
If the "secure_redirects" kernel parameters are not set to "0", this is a finding.
Fix Text (F-62538r933727_fix)
Navigate to and open:
/etc/sysctl.d/zz-stig-hardening.conf
Add or update the following lines:
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
At the command line, run the following command to load the new configuration:
# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf
Note: If the file zz-stig-hardening.conf does not exist, it must be created.