Saltstack Official Linux Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

cis-3-2-3.yml 1.3KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445
  1. # 3.2.3 Ensure secure ICMP redirects are not accepted
  2. #
  3. # Description
  4. # ===========
  5. # Secure ICMP redirects are the same as ICMP redirects, except they come from
  6. # gateways listed on the default gateway list. It is assumed that these
  7. # gateways are known to your system, and that they are likely to be secure.
  8. #
  9. # Rationale
  10. # =========
  11. # It is still possible for even known gateways to be compromised. Setting
  12. # net.ipv4.conf.all.secure_redirects to 0 protects the system from routing
  13. # table updates by possibly compromised known gateways.
  14. #
  15. # Audit
  16. # =====
  17. #
  18. # Run the following commands and verify output matches:
  19. #
  20. # # sysctl net.ipv4.conf.all.secure_redirects
  21. # net.ipv4.conf.all.secure_redirects = 0
  22. # # sysctl net.ipv4.conf.default.secure_redirects
  23. # net.ipv4.conf.default.secure_redirects = 0
  24. #
  25. # Remediation
  26. # ===========
  27. #
  28. # Set the following parameters in the /etc/sysctl.conf file:
  29. #
  30. # net.ipv4.conf.all.secure_redirects = 0
  31. # net.ipv4.conf.default.secure_redirects = 0
  32. #
  33. # Run the following commands to set the active kernel parameters:
  34. #
  35. # # sysctl -w net.ipv4.conf.all.secure_redirects=0
  36. # # sysctl -w net.ipv4.conf.default.secure_redirects=0
  37. # # sysctl -w net.ipv4.route.flush=1
  38. parameters:
  39. linux:
  40. system:
  41. kernel:
  42. sysctl:
  43. net.ipv4.conf.all.secure_redirects: 0
  44. net.ipv4.conf.default.secure_redirects: 0