3.1.9 Disable Response to Multicast Echo Request - Check ip6_respond_to_echo_multicast value. Expected value: 0.

Information

The ip6_respond_to_echo_multicast and ip_respond_to_echo_multicast parameters control whether or not IPv6 or IPv4 responds to a multicast IPv6 or IPv4 echo request.

Note - This setting will NOT persist between reboots.

Appendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
cp cis_netconfig.sh /lib/svc/method
chmod 750 /lib/svc/method/cis_netconfig.sh
svccfg import cis_netconfig.xml

When the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date.

Solution

See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
IPv4-
ndd -set /dev/ip ip_respond_to_echo_multicast 0
IPv6-
ndd -set /dev/ip ip6_respond_to_echo_multicast 0

See Also

https://workbench.cisecurity.org/files/614

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv6|9.2

Plugin: Unix

Control ID: ef8b8c49351db26229bf16af971c5d0c1ab79fe41233e49480c22f3aa286e6f2