Guide to the Secure Configuration of Alibaba Cloud Linux 3
Rules, Groups, and Values defined within the XCCDF Benchmark
-
net.ipv4.conf.default.arp_ignore
Control the response modes for ARP queries that resolve local target IP addresses: 0 - (default): reply for any local target IP address, configured on any interface 1 - reply only if the target IP...Value -
net.ipv4.conf.all.rp_filter
Enable to enforce sanity checking, also called ingress filtering or egress filtering. The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense whe...Value -
net.ipv4.conf.all.secure_redirects
Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packets on all interfaces.Value -
net.ipv4.conf.all.shared_media
Controls whether the system can send (router) or accept (host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be enabled if at least one of conf/{all,interface}/sh...Value -
net.ipv4.conf.default.accept_redirects
Disable ICMP Redirect Acceptance?Value -
net.ipv4.conf.default.shared_media
Controls whether the system can send(router) or accept(host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be enabled if at least one of conf/{all,interface}/shar...Value -
net.ipv4.icmp_echo_ignore_broadcasts
Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicastValue -
net.ipv4.icmp_ignore_bogus_error_responses
Enable to prevent unnecessary loggingValue -
net.ipv4.tcp_syncookies
Enable to turn on TCP SYN Cookie ProtectionValue -
Configure Response Mode of ARP Requests for All IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.arp_ignore</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.arp_ignore=<xccdf-1.2:sub idref="xccd...Rule Medium Severity -
Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.route_localnet</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.route_localnet=0</pre> To make su...Rule Medium Severity -
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1</pre> To make sure that th...Rule Medium Severity -
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.secure_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0</pre> To mak...Rule Medium Severity -
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.default.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0</pre...Rule Medium Severity -
Configure Sending and Accepting Shared Media Redirects by Default
To set the runtime status of the <code>net.ipv4.conf.default.shared_media</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.shared_media=<xccdf-1.2:sub...Rule Medium Severity -
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</pre> To...Rule Medium Severity -
Network Parameters for Hosts Only
If the system is not going to be used as a router, then setting certain kernel parameters ensure that the host will not perform routing of network traffic.Group -
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0</pre> To make su...Rule Medium Severity -
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.ip_forward</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.ip_forward=0</pre> To make sure that the setting is per...Rule Medium Severity -
nftables
<code>If firewalld or iptables are being used in your environment, please follow the guidance in their respective section and pass-over the guidance in this section.</code><br><br> nftables is a su...Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.