Skip to content
Log In

Guide to the Secure Configuration of Anolis OS 8

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0</pre> ...
    Rule Medium Severity
    Show

  • Disable Kernel Parameter for IPv6 Forwarding

    To set the runtime status of the <code>net.ipv6.conf.all.forwarding</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.forwarding=0</pre> To make sure that ...
    Rule Medium Severity
    Show

  • Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

    To set the runtime status of the <code>net.ipv6.conf.default.accept_ra</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0</pre> To make sure...
    Rule Medium Severity
    Show

  • Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

    To set the runtime status of the <code>net.ipv6.conf.default.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0</pre...
    Rule Medium Severity
    Show

  • Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

    To set the runtime status of the <code>net.ipv6.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=...
    Rule Medium Severity
    Show

  • net.ipv4.conf.default.secure_redirects

    Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packages by default.
    Value
    Show

  • Kernel Parameters Which Affect Networking

    The sysctl utility is used to set parameters which affect the operation of the Linux kernel. Kernel parameters which affect networking and have security implications are described here.
    Group
    Show

  • Network Related Kernel Runtime Parameters for Hosts and Routers

    Certain kernel parameters should be set for systems which are acting as either hosts or routers to improve the system's ability defend against certain types of IPv4 protocol attacks.
    Group
    Show

  • net.ipv4.conf.all.accept_redirects

    Disable ICMP Redirect Acceptance
    Value
    Show

  • net.ipv4.conf.all.accept_source_route

    Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected.
    Value
    Show

  • net.ipv4.conf.default.arp_filter

    Controls whether the ARP filter is enabled or not. 1 - Allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not t...
    Value
    Show

  • net.ipv4.conf.default.arp_ignore

    Control the response modes for ARP queries that resolve local target IP addresses: 0 - (default): reply for any local target IP address, configured on any interface 1 - reply only if the target IP...
    Value
    Show

  • net.ipv4.conf.all.log_martians

    Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect Packets
    Value
    Show

  • net.ipv4.conf.all.rp_filter

    Enable to enforce sanity checking, also called ingress filtering or egress filtering. The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense whe...
    Value
    Show

  • net.ipv4.conf.all.secure_redirects

    Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packets on all interfaces.
    Value
    Show

  • net.ipv4.conf.all.shared_media

    Controls whether the system can send (router) or accept (host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be enabled if at least one of conf/{all,interface}/sh...
    Value
    Show

  • net.ipv4.conf.default.accept_redirects

    Disable ICMP Redirect Acceptance?
    Value
    Show

  • net.ipv4.conf.default.accept_source_route

    Disable IP source routing?
    Value
    Show

  • net.ipv4.conf.default.log_martians

    Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect Packets
    Value
    Show

  • net.ipv4.conf.default.shared_media

    Controls whether the system can send(router) or accept(host) RFC1620 shared media redirects. <code>shared_media</code> for the interface will be enabled if at least one of conf/{all,interface}/shar...
    Value
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules