3.1.11 Ignore ICMP Redirect Messages - Check ip6_ignore_redirect value. Expected value: 1.

Information

The ip_ignore_redirect and ip6_ignore_redirect parameters determine if redirect messages will be ignored. ICMP redirect messages cause a host to re-route packets and could be used in a DoS attack. The default value for this is 0. Setting this parameter to 1 causes redirect messages to be ignored.

Note - This setting will NOT persist between reboots.

Appendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
cp cis_netconfig.sh /lib/svc/method
chmod 750 /lib/svc/method/cis_netconfig.sh
svccfg import cis_netconfig.xml

When the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date.

Solution

See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
IPv4-
ndd -set /dev/ip ip_ignore_redirect 1
IPv6-
ndd -set /dev/ip ip6_ignore_redirect 1

See Also

https://workbench.cisecurity.org/files/614

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv6|9.2

Plugin: Unix

Control ID: 42b70c65f946556075982a16068385da2989a7314823a5f570ea25bf5c1e4b66