3.1.2 Ensure packet redirect sending is disabled - sysctl net.ipv4.conf.default.send_redirects=0

Information

ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects.

Rationale:

An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system.

Solution

Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file:

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

Run the following commands to set the active kernel parameters:

# sysctl -w net.ipv4.conf.all.send_redirects=0
# sysctl -w net.ipv4.conf.default.send_redirects=0
# sysctl -w net.ipv4.route.flush=1

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-72293

Rule ID: SV-86917r3_rule

STIG ID: RHEL-07-040660

Severity: CAT II



Vul ID: V-72291

Rule ID: SV-86915r4_rule

STIG ID: RHEL-07-040650

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: Unix

Control ID: e431113d88dcf39a60f4afe2709d08252f9a11fa89f035a8493bf1a4ee212740