Configure Kernel Parameter for Accepting Secure Redirects By Default

An XCCDF Rule

Description

To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.secure_redirects = 0

Rationale

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

ID: xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects
Severity: Medium
References: BP28(R22)

1 11 12 13 14 15 16 18 2 3 4 6 7 8 9

APO01.06 APO13.01 BAI04.04 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.03 DSS01.05 DSS03.01 DSS03.05 DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06

3.1.20

CCI-001551

4.2.3.4 4.3.3.4 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3 4.4.3.3

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 6.2 SR 7.1 SR 7.2 SR 7.6

A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.12.1.1 A.12.1.2 A.12.1.3 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.2 A.13.1.3 A.13.2.1 A.13.2.2 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.17.2.1 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5

CIP-007-3 R4 CIP-007-3 R4.1 CIP-007-3 R4.2 CIP-007-3 R5.1

CM-7(a) CM-7(b) SC-5 SC-7(a)

DE.AE-1 DE.CM-1 ID.AM-3 PR.AC-5 PR.DS-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4

SRG-OS-000480-GPOS-00227

CCE-82483-9
Updated: about 1 year ago

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.ipv4.conf.default.secure_redirects%3D0%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_secure_redirects.conf
        overwrite: true

Configure Kernel Parameter for Accepting Secure Redirects By Default

Description

Rationale

Remediation - Kubernetes Patch