Detections
Analytics

3.3.1.6 Ensure net.ipv4.icmp_ignore_bogus_error_responses is configured

Information

net.ipv4.icmp_ignore_bogus_error_responses controls if the kernel logs bogus responses (RFC-1122 non-compliant) from broadcast reframes.

More information about the kernel parameter configuration files, their location, and load preference is available in the "Configure Network Kernel Parameters" section overview.

Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages.

Solution

- Run the following command to comment out net.ipv4.icmp_ignore_bogus_error_responses lines returned by the audit procedure that are not net.ipv4.icmp_ignore_bogus_error_responses = 1 :

# sed -ri '/^\s*net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*0/s/^/#/g' \
"path/to/file/in/audit/filename"

Example:

# sed -ri '/^\s*net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*0/s/^/#/g' \
/etc/sysctl.d/99-sysctl.conf
 - Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or add the following line:

net.ipv4.icmp_ignore_bogus_error_responses = 1

Example:

# [ ! -d "/etc/sysctl.d/" ] && mkdir -p /etc/sysctl.d/
# printf '%s\n' "" "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/60-ipv4_sysctl.conf
 - Run the following command to load all sysctl configuration files:

# sysctl --system

See Also

https://workbench.cisecurity.org/benchmarks/25279

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CCI|CCI-000366, CSCv7|9.2, Rule-ID|SV-257967r991589_rule, Rule-ID|SV-269247r1050129_rule, Rule-ID|SV-271874r1092612_rule

Plugin: Unix

Control ID: e484a306aa3668f85c60b074d1d1deff98ad9fe974484bcda9c6eb929a2d4536