Detections
Analytics
3.3.1.8 Ensure net.ipv4.conf.all.accept_redirects is configured
Information
ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables.net.ipv4.conf.all.accept_redirects controls accepting of all IPv4 ICMP redirected packets on all interfaces.
ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables.
By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any IPv4 ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables.
Solution
- Review all files being used by systemd sysctl and comment out or remove all net.ipv4.conf.all.accept_redirects lines that are not net.ipv4.conf.all.accept_redirects=0.Example script:
#!/usr/bin/env bash
{
l_option="net.ipv4.conf.all.accept_redirects" l_value="0"
l_grep="${l_option//./(\\.|\\/)}" a_files=()
l_systemdsysctl="$(readlink -e /lib/systemd/systemd-sysctl \
|| readlink -e /usr/lib/systemd/systemd-sysctl)"
l_ufw_file="$([ -f /etc/default/ufw ] && \
awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
[ -f "$(readlink -e "$l_ufw_file")" ] && \
a_files+=("$l_ufw_file"); a_files+=("/etc/sysctl.conf")
while IFS= read -r l_fname; do
l_file="$(readlink -e "${l_fname//# /}")"
[ -n "$l_file" ] && ! grep -Psiq -- '(^|\h+)'"$l_file"'\b' \
<<< "${a_files[*]}" && a_files+=("$l_file")
done < <("$l_systemdsysctl" --cat-config | tac | \
grep -Pio -- '^\h*#\h*\/[^#\n\r\h]+\.conf\b')
for l_file in "${a_files[@]}"; do
grep -Poi -- '\h*'"$l_grep"'\h*=\h*\H+\b' "$l_file" \
| grep -Pivq -- '^\h*'"$l_grep"'\h*=\h*'"$l_value"'\b' && \
sed -ri '/^\s*'"$l_grep"'\s*=\s*(1[0-9]*)/s/^/# /' "$l_file"
done
}
- Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or add the following line:
net.ipv4.conf.all.accept_redirects = 0
Example:
# [ ! -d "/etc/sysctl.d/" ] && mkdir -p /etc/sysctl.d/
# printf '%s\n' "" "net.ipv4.conf.all.accept_redirects = 0" \
>> /etc/sysctl.d/60-ipv4_sysctl.conf
Note: If the UFW file was the first file listed in the audit, the entry will be commented out as part of the first step, however updating Uncomplicated Firewall (UFW) may update this change. In this case the updated entry will supersede the entry being created as part of this step.
- Run the following command to load all sysctl configuration filles:
# sysctl --system
See Also
Item Details
Audit Name: CIS AlmaLinux OS 10 v1.0.0 L1 Workstation
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CSCv7|9.2
Plugin: Unix
Control ID: 784c8e2ec132a8261844c39e34b587d9d558e2769a5bab848988ad2f35b59f1d