3.3.6 Ensure secure icmp redirects are not accepted

Information

Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure.

It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways.

Solution

Set the following parameters in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending inconf :

- net.ipv4.conf.all.secure_redirects = 0
- net.ipv4.conf.default.secure_redirects = 0

Example:

# printf '%s
' "net.ipv4.conf.all.secure_redirects = 0" "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.d/60-netipv4_sysctl.conf

Run the following script to set the active kernel parameters:

#!/usr/bin/env bash

{
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.route.flush=1
}

Note: If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten

See Also

https://workbench.cisecurity.org/benchmarks/18209

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: acefb3ee008a13acf5672c2634d9f71c43508a5f1cbfef874da2180fd1e49eff