Detections
Analytics

3.3.1.4 Ensure net.ipv4.conf.all.send_redirects is configured

Information

ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects.

net.ipv4.conf.all.send_redirects controls sending of all IPv4 ICMP redirected packets on all interfaces.

More information about the kernel parameter configuration files, their location, and load preference is available in the "Configure Network Kernel Parameters" section overview.

Note: If this system is a router this recommendation is not applicable.

An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system.

Solution

- Run the following command to comment out net.ipv4.conf.all.send_redirects lines returned by the audit procedure that are not net.ipv4.conf.all.send_redirects = 0 :

# sed -ri '^\s*net.ipv4.conf.all.send_redirects\s*=\s*1/s/^/#/g' "path/to/file/in/audit/filename"

Example:

# sed -ri '/^\s*net.ipv4.conf.all.send_redirects\s*=\s*1/s/^/#/g' /etc/sysctl.d/99-sysctl.conf
 - Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or add the following line:

net.ipv4.conf.all.send_redirects = 0

Example:

# [ ! -d "/etc/sysctl.d/" ] && mkdir -p /etc/sysctl.d/
# printf '%s\n' "" "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/60-ipv4_sysctl.conf
 - Run the following command to load all sysctl configuration files:

# sysctl --system

Impact:

IP forwarding is required on systems configured to act as a router. If these parameters are disabled, the system will not be able to perform as a router.

See Also

https://workbench.cisecurity.org/benchmarks/25279

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CCI|CCI-000366, CSCv7|9.2, Rule-ID|SV-230536r1017298_rule, Rule-ID|SV-235023r991589_rule, Rule-ID|SV-248877r991589_rule, Rule-ID|SV-257968r991589_rule, Rule-ID|SV-269256r1050138_rule, Rule-ID|SV-271875r1092337_rule

Plugin: Unix

Control ID: 28b88cdd3ed030a1970e32e77775e50e4809ea11effb8d8105c912411157e0a0