Guide to the Secure Configuration of Anolis OS 23
Rules, Groups, and Values defined within the XCCDF Benchmark
-
net.ipv4.conf.all.accept_source_route
Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected.Value -
net.ipv4.conf.default.arp_filter
Controls whether the ARP filter is enabled or not. 1 - Allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not t...Value -
net.ipv4.conf.default.arp_ignore
Control the response modes for ARP queries that resolve local target IP addresses: 0 - (default): reply for any local target IP address, configured on any interface 1 - reply only if the target IP...Value -
net.ipv4.conf.all.log_martians
Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect PacketsValue -
net.ipv4.conf.all.rp_filter
Enable to enforce sanity checking, also called ingress filtering or egress filtering. The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense whe...Value -
net.ipv4.conf.all.secure_redirects
Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packets on all interfaces.Value -
net.ipv4.conf.all.shared_media
Controls whether the system can send (router) or accept (host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be enabled if at least one of conf/{all,interface}/sh...Value -
net.ipv4.conf.default.accept_redirects
Disable ICMP Redirect Acceptance?Value -
net.ipv4.conf.default.accept_source_route
Disable IP source routing?Value -
net.ipv4.conf.default.log_martians
Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect PacketsValue -
net.ipv4.conf.default.secure_redirects
Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packages by default.Value -
net.ipv4.conf.default.shared_media
Controls whether the system can send(router) or accept(host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be enabled if at least one of conf/{all,interface}/shar...Value -
net.ipv4.icmp_echo_ignore_broadcasts
Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicastValue -
net.ipv4.icmp_ignore_bogus_error_responses
Enable to prevent unnecessary loggingValue -
net.ipv4.tcp_syncookies
Enable to turn on TCP SYN Cookie ProtectionValue -
Disable Accepting ICMP Redirects for All IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0</pre> To mak...Rule Medium Severity -
Configure ARP filtering for All IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.arp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.arp_filter=<xccdf-1.2:sub idref="xccd...Rule Medium Severity -
Configure Response Mode of ARP Requests for All IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.arp_ignore</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.arp_ignore=<xccdf-1.2:sub idref="xccd...Rule Medium Severity -
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1</pre> To make sure that th...Rule Medium Severity -
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
To set the runtime status of the <code>net.ipv4.conf.all.secure_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0</pre> To mak...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.