← Back to VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide

V-256570

CAT II (Medium)

The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.

Rule ID

SV-256570r991589_rule

STIG

VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide

Version

V1R4

CCIs

CCI-000366

Discussion

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Check Content

At the command line, run the following command:

# /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default|eth.*).secure_redirects"

Expected result:

net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.eth0.secure_redirects = 0

If the output does not match the expected result, this is a finding.

Note: The number of "ethx" lines returned is dependent on the number of interfaces. Every "ethx" entry must be set to "0".

Fix Text

At the command line, run the following command:

# for SETTING in $(/sbin/sysctl -aN --pattern "net.ipv4.conf.(all|default|eth.*).secure_redirects"); do sed -i -e "/^${SETTING}/d" /etc/sysctl.conf;echo $SETTING=0>>/etc/sysctl.conf; done
# /sbin/sysctl --load