Bug 972511 - The system must not accept ICMPv4 secure redirect packets by default.
The system must not accept ICMPv4 secure redirect packets by default.
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: initscripts (Show other bugs)
All Linux
unspecified Severity high
: rc
: ---
Assigned To: Lukáš Nykrýn
Depends On: 972509
Blocks: 972512
  Show dependency treegraph
Reported: 2013-06-09 15:23 EDT by Jason Pyeron
Modified: 2016-11-25 08:00 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-06-13 10:21:18 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
RHEL6 STIG patch (442 bytes, patch)
2013-06-09 15:23 EDT, Jason Pyeron
no flags Details | Diff
specfile patch (1.27 KB, patch)
2013-06-09 15:25 EDT, Jason Pyeron
no flags Details | Diff

  None (edit)
Description Jason Pyeron 2013-06-09 15:23:49 EDT
Created attachment 758906 [details]
RHEL6 STIG patch

Description of problem:

The default configuration is not conforming to best practices. The Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) v1.2 published by the Defense Information Systems Agency recommends the changes in the attached patch.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

perform a yum install

Actual results:

root@test /tmp/setup
# sysctl net.ipv4.conf.default.secure_redirects
net.ipv4.conf.default.secure_redirects = 1

Expected results:

$ sysctl net.ipv4.conf.default.secure_redirects

The output of the command should indicate a value of "0". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in "/etc/sysctl.conf".

Additional info:

see: http://iase.disa.mil/stigs/os/unix/red_hat.html
Comment 1 Jason Pyeron 2013-06-09 15:25:16 EDT
Created attachment 758907 [details]
specfile patch
Comment 3 Václav Pavlín 2013-06-13 10:21:18 EDT
Hi, this bug changes the default behaviour of the system and we don't think it is appropriate to do this in a midstream RHEL 6 release.

Note You need to log in before you can comment on or make changes to this bug.