STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide

V-258889

CAT II (Medium)

The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.

Rule ID

SV-258889r933728_rule

STIG

VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000366

Discussion

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Check Content

At the command line, run the following command to verify ICMP secure redirects are not accepted:

# /sbin/sysctl -a --pattern "net.ipv4.conf.(all|default).secure_redirects"

Expected result:

net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

If the "secure_redirects" kernel parameters are not set to "0", this is a finding.

Fix Text

Navigate to and open:

/etc/sysctl.d/zz-stig-hardening.conf

Add or update the following lines:

net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

At the command line, run the following command to load the new configuration:

# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf

Note: If the file zz-stig-hardening.conf does not exist, it must be created.