|
- # 3.2.2 Ensure ICMP redirects are not accepted
- #
- # Description
- # ===========
- # ICMP redirect messages are packets that convey routing information and tell
- # your host (acting as a router) to send packets via an alternate path. It is
- # a way of allowing an outside routing device to update your system routing
- # tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will
- # not accept any ICMP redirect messages, and therefore, won't allow outsiders
- # to update the system's routing tables.
- #
- # Rationale
- # =========
- # Attackers could use bogus ICMP redirect messages to maliciously alter the
- # system routing tables and get them to send packets to incorrect networks and
- # allow your system packets to be captured.
- #
- # Audit
- # =====
- #
- # Run the following commands and verify output matches:
- #
- # # sysctl net.ipv4.conf.all.accept_redirects
- # net.ipv4.conf.all.accept_redirects = 0
- # # sysctl net.ipv4.conf.default.accept_redirects
- # net.ipv4.conf.default.accept_redirects = 0
- #
- # Remediation
- # ===========
- #
- # Set the following parameters in the /etc/sysctl.conf file:
- #
- # net.ipv4.conf.all.accept_redirects = 0
- # net.ipv4.conf.default.accept_redirects = 0
- #
- # Run the following commands to set the active kernel parameters:
- #
- # # sysctl -w net.ipv4.conf.all.accept_redirects=0
- # # sysctl -w net.ipv4.conf.default.accept_redirects=0
- # # sysctl -w net.ipv4.route.flush=1
-
- parameters:
- linux:
- system:
- kernel:
- sysctl:
- net.ipv4.conf.all.accept_redirects: 0
- net.ipv4.conf.default.accept_redirects: 0
|
