ExternalMirrors
/
linux-formula
Mirror von https://github.com/salt-formulas/salt-formula-linux
Beobachten 1
Favorisieren 0
Fork 1
Code Issues 0 Releases 8 Wiki Aktivität
Saltstack Official Linux Formula
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
758 Commits
26 Branches
Struktur: e85db680ac
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „e85db680ac“
${ noResults }
linux-formula/metadata/service/system/cis/cis-3-2-1.yml

57 Zeilen
2.1KB
Originalformat Blame Verlauf 

  1. # 3.2.1 Ensure source routed packets are not accepted

  2. #

  3. # Description

  4. # ===========

  5. # In networking, source routing allows a sender to partially or fully specify

  6. # the route packets take through a network. In contrast, non-source routed

  7. # packets travel a path determined by routers in the network. In some cases,

  8. # systems may not be routable or reachable from some locations (e.g. private

  9. # addresses vs. Internet routable), and so source routed packets would need

  10. # to be used.

  11. #

  12. # Rationale

  13. # =========

  14. # Setting `net.ipv4.conf.all.accept_source_route` and

  15. # `net.ipv4.conf.default.accept_source_route` to 0 disables the system from

  16. # accepting source routed packets. Assume this system was capable of routing

  17. # packets to Internet routable addresses on one interface and private addresses

  18. # on another interface. Assume that the private addresses were not routable to

  19. # the Internet routable addresses and vice versa. Under normal routing

  20. # circumstances, an attacker from the Internet routable addresses could not use

  21. # the system as a way to reach the private address systems. If, however, source

  22. # routed packets were allowed, they could be used to gain access to the private

  23. # address systems as the route could be specified, rather than rely on routing

  24. # protocols that did not allow this routing.

  25. #

  26. # Audit

  27. # =====

  28. #

  29. # Run the following commands and verify output matches:

  30. #

  31. #   # sysctl net.ipv4.conf.all.accept_source_route

  32. #   net.ipv4.conf.all.accept_source_route = 0

  33. #   # sysctl net.ipv4.conf.default.accept_source_route

  34. #   net.ipv4.conf.default.accept_source_route = 0

  35. #

  36. # Remediation

  37. # ===========

  38. #

  39. # Set the following parameters in the /etc/sysctl.conf file:

  40. #

  41. #   net.ipv4.conf.all.accept_source_route = 0

  42. #   net.ipv4.conf.default.accept_source_route = 0

  43. #

  44. # Run the following commands to set the active kernel parameters:

  45. #

  46. #   # sysctl -w net.ipv4.conf.all.accept_source_route=0

  47. #   # sysctl -w net.ipv4.conf.default.accept_source_route=0

  48. #   # sysctl -w net.ipv4.route.flush=1

  49. 

  50. parameters:

  51.   linux:

  52.     system:

  53.       kernel:

  54.         sysctl:

  55.           net.ipv4.conf.all.accept_source_route: 0

  56.           net.ipv4.conf.default.accept_source_route: 0