Detections
Analytics

3.3.1.4 Ensure net.ipv4.conf.all.send_redirects is configured

Information

ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects.

net.ipv4.conf.all.send_redirects controls sending of all IPv4 ICMP redirected packets on all interfaces.

Note: If this system is a router this recommendation is not applicable.

An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system.

Solution

- Review all files being used by systemd sysctl and comment out or remove all net.ipv4.conf.all.send_redirects lines that are not net.ipv4.conf.all.send_redirects=0.

Example script:

#!/usr/bin/env bash

{
 l_option="net.ipv4.conf.all.send_redirects" l_value="0"
 l_grep="${l_option//./(\\.|\\/)}" a_files=()
 l_systemdsysctl="$(readlink -e /lib/systemd/systemd-sysctl \
 || readlink -e /usr/lib/systemd/systemd-sysctl)"
 l_ufw_file="$([ -f /etc/default/ufw ] && \
 awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
 [ -f "$(readlink -e "$l_ufw_file")" ] && \
 a_files+=("$l_ufw_file"); a_files+=("/etc/sysctl.conf")
 while IFS= read -r l_fname; do
 l_file="$(readlink -e "${l_fname//# /}")"
 [ -n "$l_file" ] && ! grep -Psiq -- '(^|\h+)'"$l_file"'\b' \
 <<< "${a_files[*]}" && a_files+=("$l_file")
 done < <("$l_systemdsysctl" --cat-config | tac | \
 grep -Pio -- '^\h*#\h*\/[^#\n\r\h]+\.conf\b')
 for l_file in "${a_files[@]}"; do
 grep -Poi -- '\h*'"$l_grep"'\h*=\h*\H+\b' "$l_file" \
 | grep -Pivq -- '^\h*'"$l_grep"'\h*=\h*'"$l_value"'\b' && \
 sed -ri '/^\s*'"$l_grep"'\s*=\s*(1[0-9]*)/s/^/# /' "$l_file"
 done
}
 - Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or add the following line:

net.ipv4.conf.all.send_redirects = 0

Example:

# [ ! -d "/etc/sysctl.d/" ] && mkdir -p /etc/sysctl.d/
# printf '%s\n' "" "net.ipv4.conf.all.send_redirects = 0" \
>> /etc/sysctl.d/60-ipv4_sysctl.conf

Note: If the UFW file was the first file listed in the audit, the entry will be commented out as part of the first step, however updating Uncomplicated Firewall (UFW) may update this change. In this case the updated entry will supersede the entry being created as part of this step.

 - Run the following command to load all sysctl configuration filles:

# sysctl --system

Impact:

IP forwarding is required on systems configured to act as a router. If these parameters are disabled, the system will not be able to perform as a router.

See Also

https://workbench.cisecurity.org/benchmarks/24008

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CSCv7|9.2

Plugin: Unix

Control ID: f5afda2706e92769517b48a692954e0a943a89d253e950a27dc1ea089d64c740