Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
An XCCDF Rule
Description
To set the runtime status of the net.ipv4.conf.all.secure_redirects
kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d
: net.ipv4.conf.all.secure_redirects = 0
Rationale
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
- ID
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.all.secure_redirects from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
Remediation - Ansible
- name: List /etc/sysctl.d/*.conf files
find:
paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/