Rule ID
SV-282694r1201062_rule
Version
V1R1
CCIs
Some routers will send responses to broadcast frames that violate RFC-1122, which fills up a log file system with many useless error messages. An attacker may take advantage of this and attempt to flood the logs with bogus error logs. Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.
Query the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter using the following command: $ sudo sysctl net.ipv4.icmp_ignore_bogus_error_responses net.ipv4.icmp_ignore_bogus_error_responses = 1 If "net.ipv4.icmp_ignore_bogus_error_responses" is not set to "1", or a line is not returned, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.icmp_ignore_bogus_error_response | tail -1 net.ipv4.icmp_ignore_bogus_error_response = 1 If "net.ipv4.icmp_ignore_bogus_error_response" is not set to "1" or is missing, this is a finding.
Configure TOSS 5 to not log bogus ICMP errors: Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.icmp_ignore_bogus_error_responses = 1 Load settings from all system configuration files using the following command: $ sudo sysctl --system