SLES-12-030401 - The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.

Information

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Solution

Configure the SUSE operating system to not allow IPv6 ICMP redirect messages by default.

Set the system to the required kernel parameter by adding the following line to '/etc/sysctl.conf' (or modify the line to have the required value):

net.ipv6.conf.default.accept_redirects=0

Run the following command to apply this value:

# sysctl -system

Item Details

Audit Name: DISA SLES 12 STIG v3r4

Category: CONFIGURATION MANAGEMENT

Plugin: Unix

Control ID: fd2fd22514e9d0c3c7b030e041b6d3ba3f717d91d562d52a03c618a1f45dbc12

Detections

Analytics

SLES-12-030401 - The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.

Information

Solution

See Also

Item Details