An XCCDF Group - A logical subset of the XCCDF Benchmark
/etc/ipsec.d
$ sudo chgrp root /etc/ipsec.d
$ sudo chown root /etc/ipsec.d
$ sudo chmod 0700 /etc/ipsec.d
/etc/ipsec.conf
$ sudo chgrp root /etc/ipsec.conf
/etc/ipsec.secrets
$ sudo chgrp root /etc/ipsec.secrets
$ sudo chown root /etc/ipsec.conf
$ sudo chown root /etc/ipsec.secrets
$ sudo chmod 0644 /etc/ipsec.conf
$ sudo chmod 0644 /etc/ipsec.secrets
netfilter
iptables
ip6tables
/etc/iptables
$ sudo chgrp root /etc/iptables
$ sudo chown root /etc/iptables
$ sudo chmod 0700 /etc/iptables
net.ipv6.conf.all.accept_ra_defrtr
$ sudo sysctl -w net.ipv6.conf.all.accept_ra_defrtr=0
/etc/sysctl.d
net.ipv6.conf.all.accept_ra_defrtr = 0
net.ipv6.conf.all.accept_ra_pinfo
$ sudo sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0
net.ipv6.conf.all.accept_ra_pinfo = 0
net.ipv6.conf.all.accept_ra_rtr_pref
$ sudo sysctl -w net.ipv6.conf.all.accept_ra_rtr_pref=0
net.ipv6.conf.all.accept_ra_rtr_pref = 0
net.ipv6.conf.all.accept_redirects
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_source_route
$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.all.autoconf
$ sudo sysctl -w net.ipv6.conf.all.autoconf=0
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.all.max_addresses
$ sudo sysctl -w net.ipv6.conf.all.max_addresses=1
net.ipv6.conf.all.max_addresses = 1
net.ipv6.conf.all.router_solicitations
$ sudo sysctl -w net.ipv6.conf.all.router_solicitations=0
net.ipv6.conf.all.router_solicitations = 0
net.ipv6.conf.default.accept_ra_defrtr
$ sudo sysctl -w net.ipv6.conf.default.accept_ra_defrtr=0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_pinfo
$ sudo sysctl -w net.ipv6.conf.default.accept_ra_pinfo=0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_rtr_pref
$ sudo sysctl -w net.ipv6.conf.default.accept_ra_rtr_pref=0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_redirects
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_source_route
$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.default.autoconf
$ sudo sysctl -w net.ipv6.conf.default.autoconf=0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.max_addresses
$ sudo sysctl -w net.ipv6.conf.default.max_addresses=1
net.ipv6.conf.default.max_addresses = 1
net.ipv6.conf.default.router_solicitations
$ sudo sysctl -w net.ipv6.conf.default.router_solicitations=0
net.ipv6.conf.default.router_solicitations = 0
sysctl
shared_media
net.ipv4.conf.all.accept_local
$ sudo sysctl -w net.ipv4.conf.all.accept_local=0
net.ipv4.conf.all.accept_local = 0
net.ipv4.conf.all.accept_redirects
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.arp_filter
$ sudo sysctl -w net.ipv4.conf.all.arp_filter=
net.ipv4.conf.all.arp_filter =
net.ipv4.conf.all.arp_ignore
$ sudo sysctl -w net.ipv4.conf.all.arp_ignore=
net.ipv4.conf.all.arp_ignore =
net.ipv4.conf.all.drop_gratuitous_arp
$ sudo sysctl -w net.ipv4.conf.all.drop_gratuitous_arp=1
net.ipv4.conf.all.drop_gratuitous_arp = 1
net.ipv4.conf.all.route_localnet
$ sudo sysctl -w net.ipv4.conf.all.route_localnet=0
net.ipv4.conf.all.route_localnet = 0
net.ipv4.conf.all.rp_filter
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects
$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.shared_media
$ sudo sysctl -w net.ipv4.conf.all.shared_media=
net.ipv4.conf.all.shared_media =
net.ipv4.conf.default.accept_redirects
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.rp_filter
$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.secure_redirects
$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.shared_media
$ sudo sysctl -w net.ipv4.conf.default.shared_media=
net.ipv4.conf.default.shared_media =
net.ipv4.icmp_ignore_bogus_error_responses
$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_local_port_range
$ sudo sysctl -w net.ipv4.ip_local_port_range=32768 65535
net.ipv4.ip_local_port_range = 32768 65535
net.ipv4.tcp_rfc1337
$ sudo sysctl -w net.ipv4.tcp_rfc1337=1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_syncookies
$ sudo sysctl -w net.ipv4.tcp_syncookies=1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.send_redirects
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.ip_forward
$ sudo sysctl -w net.ipv4.ip_forward=0
net.ipv4.ip_forward = 0
If firewalld or iptables are being used in your environment, please follow the guidance in their respective section and pass-over the guidance in this section.
/etc/nftables
$ sudo chgrp root /etc/nftables
$ sudo chown root /etc/nftables
$ sudo chmod 0700 /etc/nftables