|
- # 3.2.3 Ensure secure ICMP redirects are not accepted
- #
- # Description
- # ===========
- # Secure ICMP redirects are the same as ICMP redirects, except they come from
- # gateways listed on the default gateway list. It is assumed that these
- # gateways are known to your system, and that they are likely to be secure.
- #
- # Rationale
- # =========
- # It is still possible for even known gateways to be compromised. Setting
- # net.ipv4.conf.all.secure_redirects to 0 protects the system from routing
- # table updates by possibly compromised known gateways.
- #
- # Audit
- # =====
- #
- # Run the following commands and verify output matches:
- #
- # # sysctl net.ipv4.conf.all.secure_redirects
- # net.ipv4.conf.all.secure_redirects = 0
- # # sysctl net.ipv4.conf.default.secure_redirects
- # net.ipv4.conf.default.secure_redirects = 0
- #
- # Remediation
- # ===========
- #
- # Set the following parameters in the /etc/sysctl.conf file:
- #
- # net.ipv4.conf.all.secure_redirects = 0
- # net.ipv4.conf.default.secure_redirects = 0
- #
- # Run the following commands to set the active kernel parameters:
- #
- # # sysctl -w net.ipv4.conf.all.secure_redirects=0
- # # sysctl -w net.ipv4.conf.default.secure_redirects=0
- # # sysctl -w net.ipv4.route.flush=1
-
- parameters:
- linux:
- system:
- kernel:
- sysctl:
- net.ipv4.conf.all.secure_redirects: 0
- net.ipv4.conf.default.secure_redirects: 0
|
