| # 3.2.3 Ensure secure ICMP redirects are not accepted |
| # |
| # Description |
| # =========== |
| # Secure ICMP redirects are the same as ICMP redirects, except they come from |
| # gateways listed on the default gateway list. It is assumed that these |
| # gateways are known to your system, and that they are likely to be secure. |
| # |
| # Rationale |
| # ========= |
| # It is still possible for even known gateways to be compromised. Setting |
| # net.ipv4.conf.all.secure_redirects to 0 protects the system from routing |
| # table updates by possibly compromised known gateways. |
| # |
| # Audit |
| # ===== |
| # |
| # Run the following commands and verify output matches: |
| # |
| # # sysctl net.ipv4.conf.all.secure_redirects |
| # net.ipv4.conf.all.secure_redirects = 0 |
| # # sysctl net.ipv4.conf.default.secure_redirects |
| # net.ipv4.conf.default.secure_redirects = 0 |
| # |
| # Remediation |
| # =========== |
| # |
| # Set the following parameters in the /etc/sysctl.conf file: |
| # |
| # net.ipv4.conf.all.secure_redirects = 0 |
| # net.ipv4.conf.default.secure_redirects = 0 |
| # |
| # Run the following commands to set the active kernel parameters: |
| # |
| # # sysctl -w net.ipv4.conf.all.secure_redirects=0 |
| # # sysctl -w net.ipv4.conf.default.secure_redirects=0 |
| # # sysctl -w net.ipv4.route.flush=1 |
| |
| parameters: |
| linux: |
| system: |
| kernel: |
| sysctl: |
| net.ipv4.conf.all.secure_redirects: 0 |
| net.ipv4.conf.default.secure_redirects: 0 |