metadata/service/system/cis/cis-3-2-7.yml

# 3.2.7 Ensure Reverse Path Filtering is enabled
#
# Description
# ===========
# Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1
# forces the Linux kernel to utilize reverse path filtering on a received
# packet to determine if the packet was valid. Essentially, with reverse path
# filtering, if the return packet does not go out the same interface that the
# corresponding source packet came from, the packet is dropped (and logged if
# log_martians is set).
#
# Rationale
# =========
# Setting these flags is a good way to deter attackers from sending your system
# bogus packets that cannot be responded to. One instance where this feature
# breaks down is if asymmetrical routing is employed. This would occur when
# using dynamic routing protocols (bgp, ospf, etc) on your system. If you are
# using asymmetrical routing on your system, you will not be able to enable
# this feature without breaking the routing.
#
# Audit
# =====
#
# Run the following commands and verify output matches:
#
#   # sysctl net.ipv4.conf.all.rp_filter
#   net.ipv4.conf.all.rp_filter = 1
#   # sysctl net.ipv4.conf.default.rp_filter
#   net.ipv4.conf.default.rp_filter = 1
#
# Remediation
# ===========
#
# Set the following parameters in the /etc/sysctl.conf file:
#
#   net.ipv4.conf.all.rp_filter = 1
#   net.ipv4.conf.default.rp_filter = 1
#
# Run the following commands to set the active kernel parameters:
#
#   # sysctl -w net.ipv4.conf.all.rp_filter=1
#   # sysctl -w net.ipv4.conf.default.rp_filter=1
#   # sysctl -w net.ipv4.route.flush=1

parameters:
  linux:
    system:
      kernel:
        sysctl:
          net.ipv4.conf.all.rp_filter: 1
          net.ipv4.conf.default.rp_filter: 1