metadata/service/system/cis/cis-3-2-1.yml - salt-formulas/linux - Gitiles

 # 3.2.1 Ensure source routed packets are not accepted
 #
 # Description
 # ===========
 # In networking, source routing allows a sender to partially or fully specify
 # the route packets take through a network. In contrast, non-source routed
 # packets travel a path determined by routers in the network. In some cases,
 # systems may not be routable or reachable from some locations (e.g. private
 # addresses vs. Internet routable), and so source routed packets would need
 # to be used.
 #
 # Rationale
 # =========
 # Setting `net.ipv4.conf.all.accept_source_route` and
 # `net.ipv4.conf.default.accept_source_route` to 0 disables the system from
 # accepting source routed packets. Assume this system was capable of routing
 # packets to Internet routable addresses on one interface and private addresses
 # on another interface. Assume that the private addresses were not routable to
 # the Internet routable addresses and vice versa. Under normal routing
 # circumstances, an attacker from the Internet routable addresses could not use
 # the system as a way to reach the private address systems. If, however, source
 # routed packets were allowed, they could be used to gain access to the private
 # address systems as the route could be specified, rather than rely on routing
 # protocols that did not allow this routing.
 #
 # Audit
 # =====
 #
 # Run the following commands and verify output matches:
 #
 #   # sysctl net.ipv4.conf.all.accept_source_route
 #   net.ipv4.conf.all.accept_source_route = 0
 #   # sysctl net.ipv4.conf.default.accept_source_route
 #   net.ipv4.conf.default.accept_source_route = 0
 #
 # Remediation
 # ===========
 #
 # Set the following parameters in the /etc/sysctl.conf file:
 #
 #   net.ipv4.conf.all.accept_source_route = 0
 #   net.ipv4.conf.default.accept_source_route = 0
 #
 # Run the following commands to set the active kernel parameters:
 #
 #   # sysctl -w net.ipv4.conf.all.accept_source_route=0
 #   # sysctl -w net.ipv4.conf.default.accept_source_route=0
 #   # sysctl -w net.ipv4.route.flush=1

 parameters:
   linux:
     system:
       kernel:
         sysctl:
           net.ipv4.conf.all.accept_source_route: 0
           net.ipv4.conf.default.accept_source_route: 0
	# 3.2.1 Ensure source routed packets are not accepted
	#
	# Description
	# ===========
	# In networking, source routing allows a sender to partially or fully specify
	# the route packets take through a network. In contrast, non-source routed
	# packets travel a path determined by routers in the network. In some cases,
	# systems may not be routable or reachable from some locations (e.g. private
	# addresses vs. Internet routable), and so source routed packets would need
	# to be used.
	#
	# Rationale
	# =========
	# Setting `net.ipv4.conf.all.accept_source_route` and
	# `net.ipv4.conf.default.accept_source_route` to 0 disables the system from
	# accepting source routed packets. Assume this system was capable of routing
	# packets to Internet routable addresses on one interface and private addresses
	# on another interface. Assume that the private addresses were not routable to
	# the Internet routable addresses and vice versa. Under normal routing
	# circumstances, an attacker from the Internet routable addresses could not use
	# the system as a way to reach the private address systems. If, however, source
	# routed packets were allowed, they could be used to gain access to the private
	# address systems as the route could be specified, rather than rely on routing
	# protocols that did not allow this routing.
	#
	# Audit
	# =====
	#
	# Run the following commands and verify output matches:
	#
	# # sysctl net.ipv4.conf.all.accept_source_route
	# net.ipv4.conf.all.accept_source_route = 0
	# # sysctl net.ipv4.conf.default.accept_source_route
	# net.ipv4.conf.default.accept_source_route = 0
	#
	# Remediation
	# ===========
	#
	# Set the following parameters in the /etc/sysctl.conf file:
	#
	# net.ipv4.conf.all.accept_source_route = 0
	# net.ipv4.conf.default.accept_source_route = 0
	#
	# Run the following commands to set the active kernel parameters:
	#
	# # sysctl -w net.ipv4.conf.all.accept_source_route=0
	# # sysctl -w net.ipv4.conf.default.accept_source_route=0
	# # sysctl -w net.ipv4.route.flush=1

	parameters:
	linux:
	system:
	kernel:
	sysctl:
	net.ipv4.conf.all.accept_source_route: 0
	net.ipv4.conf.default.accept_source_route: 0