3.2.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.default.secure_redirects = 0 /etc/sysctl.conf /etc/sysctl.d/*'

Information

It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways.

Solution

Set the following parameters in the /etc/sysctl.conf file - net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set the active kernel parameters - # sysctl -w net.ipv4.conf.all.secure_redirects=0
# sysctl -w net.ipv4.conf.default.secure_redirects=0
# sysctl -w net.ipv4.route.flush=1

See Also

https://workbench.cisecurity.org/files/1863

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv6|9.2

Plugin: Unix

Control ID: d42724da89459eadf97971397a9711f7cb9755e4e6733fc45861539e2840820f