Saltstack Official Linux Formula
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.

57 linhas
2.1KB

  1. # 3.2.1 Ensure source routed packets are not accepted
  2. #
  3. # Description
  4. # ===========
  5. # In networking, source routing allows a sender to partially or fully specify
  6. # the route packets take through a network. In contrast, non-source routed
  7. # packets travel a path determined by routers in the network. In some cases,
  8. # systems may not be routable or reachable from some locations (e.g. private
  9. # addresses vs. Internet routable), and so source routed packets would need
  10. # to be used.
  11. #
  12. # Rationale
  13. # =========
  14. # Setting `net.ipv4.conf.all.accept_source_route` and
  15. # `net.ipv4.conf.default.accept_source_route` to 0 disables the system from
  16. # accepting source routed packets. Assume this system was capable of routing
  17. # packets to Internet routable addresses on one interface and private addresses
  18. # on another interface. Assume that the private addresses were not routable to
  19. # the Internet routable addresses and vice versa. Under normal routing
  20. # circumstances, an attacker from the Internet routable addresses could not use
  21. # the system as a way to reach the private address systems. If, however, source
  22. # routed packets were allowed, they could be used to gain access to the private
  23. # address systems as the route could be specified, rather than rely on routing
  24. # protocols that did not allow this routing.
  25. #
  26. # Audit
  27. # =====
  28. #
  29. # Run the following commands and verify output matches:
  30. #
  31. # # sysctl net.ipv4.conf.all.accept_source_route
  32. # net.ipv4.conf.all.accept_source_route = 0
  33. # # sysctl net.ipv4.conf.default.accept_source_route
  34. # net.ipv4.conf.default.accept_source_route = 0
  35. #
  36. # Remediation
  37. # ===========
  38. #
  39. # Set the following parameters in the /etc/sysctl.conf file:
  40. #
  41. # net.ipv4.conf.all.accept_source_route = 0
  42. # net.ipv4.conf.default.accept_source_route = 0
  43. #
  44. # Run the following commands to set the active kernel parameters:
  45. #
  46. # # sysctl -w net.ipv4.conf.all.accept_source_route=0
  47. # # sysctl -w net.ipv4.conf.default.accept_source_route=0
  48. # # sysctl -w net.ipv4.route.flush=1
  49. parameters:
  50. linux:
  51. system:
  52. kernel:
  53. sysctl:
  54. net.ipv4.conf.all.accept_source_route: 0
  55. net.ipv4.conf.default.accept_source_route: 0