# 3.2.3 Ensure secure ICMP redirects are not accepted
#
# Description
# ===========
# Secure ICMP redirects are the same as ICMP redirects, except they come from
# gateways listed on the default gateway list. It is assumed that these
# gateways are known to your system, and that they are likely to be secure.
#
# Rationale
# =========
# It is still possible for even known gateways to be compromised. Setting
# net.ipv4.conf.all.secure_redirects to 0 protects the system from routing
# table updates by possibly compromised known gateways.
#
# Audit
# =====
#
# Run the following commands and verify output matches:
#
#   # sysctl net.ipv4.conf.all.secure_redirects
#   net.ipv4.conf.all.secure_redirects = 0
#   # sysctl net.ipv4.conf.default.secure_redirects
#   net.ipv4.conf.default.secure_redirects = 0
#
# Remediation
# ===========
#
# Set the following parameters in the /etc/sysctl.conf file:
#
#   net.ipv4.conf.all.secure_redirects = 0
#   net.ipv4.conf.default.secure_redirects = 0
#
# Run the following commands to set the active kernel parameters:
#
#   # sysctl -w net.ipv4.conf.all.secure_redirects=0
#   # sysctl -w net.ipv4.conf.default.secure_redirects=0
#   # sysctl -w net.ipv4.route.flush=1

parameters:
  linux:
    system:
      kernel:
        sysctl:
          net.ipv4.conf.all.secure_redirects: 0
          net.ipv4.conf.default.secure_redirects: 0