# 3.2.2 Ensure ICMP redirects are not accepted
#
# Description
# ===========
# ICMP redirect messages are packets that convey routing information and tell
# your host (acting as a router) to send packets via an alternate path. It is
# a way of allowing an outside routing device to update your system routing
# tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will
# not accept any ICMP redirect messages, and therefore, won't allow outsiders
# to update the system's routing tables.
#
# Rationale
# =========
# Attackers could use bogus ICMP redirect messages to maliciously alter the
# system routing tables and get them to send packets to incorrect networks and
# allow your system packets to be captured.
#
# Audit
# =====
#
# Run the following commands and verify output matches:
#
#   # sysctl net.ipv4.conf.all.accept_redirects
#   net.ipv4.conf.all.accept_redirects = 0
#   # sysctl net.ipv4.conf.default.accept_redirects
#   net.ipv4.conf.default.accept_redirects = 0
#
# Remediation
# ===========
#
# Set the following parameters in the /etc/sysctl.conf file:
#
#   net.ipv4.conf.all.accept_redirects = 0
#   net.ipv4.conf.default.accept_redirects = 0
#
# Run the following commands to set the active kernel parameters:
#
#   # sysctl -w net.ipv4.conf.all.accept_redirects=0
#   # sysctl -w net.ipv4.conf.default.accept_redirects=0
#   # sysctl -w net.ipv4.route.flush=1

parameters:
  linux:
    system:
      kernel:
        sysctl:
          net.ipv4.conf.all.accept_redirects: 0
          net.ipv4.conf.default.accept_redirects: 0