Detections
Analytics

3.3.1.5 Ensure net.ipv4.conf.default.send_redirects is configured

Information

ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects.

net.ipv4.conf.default.send_redirects controls sending of all IPv4 ICMP redirected packets on a newly added network interface.

More information about the kernel parameter configuration files, their location, and load preference is available in the "Configure Network Kernel Parameters" section overview.

Note: If this system is a router this recommendation is not applicable.

An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system.

Solution

- Run the following command to comment out net.ipv4.conf.default.send_redirects lines returned by the audit procedure that are not net.ipv4.conf.default.send_redirects = 0 :

# sed -ri '^\s*net.ipv4.conf.default.send_redirects\s*=\s*1/s/^/#/g' "path/to/file/in/audit/filename"

Example:

# sed -ri '/^\s*net.ipv4.conf.default.send_redirects\s*=\s*1/s/^/#/g' /etc/sysctl.d/99-sysctl.conf
 - Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or add the following line:

net.ipv4.conf.default.send_redirects = 0

Example:

# [ ! -d "/etc/sysctl.d/" ] && mkdir -p /etc/sysctl.d/
# printf '%s\n' "" "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.d/60-ipv4_sysctl.conf
 - Run the following command to load all sysctl configuration files:

# sysctl --system

Impact:

IP forwarding is required on systems configured to act as a router. If these parameters are disabled, the system will not be able to perform as a router.

See Also

https://workbench.cisecurity.org/benchmarks/25279

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CCI|CCI-000366, CSCv7|9.2, Rule-ID|SV-230543r1017305_rule, Rule-ID|SV-235022r991589_rule, Rule-ID|SV-248886r991589_rule, Rule-ID|SV-257969r991589_rule, Rule-ID|SV-269256r1050138_rule, Rule-ID|SV-271876r1092641_rule

Plugin: Unix

Control ID: 0aa3a9ff8a38cd74d93204ee29c9141e26839ce15142222ad6b4cd34bc5de4b4