Detections
Analytics
3.3.2.4 Ensure net.ipv6.conf.default.accept_redirects is configured
Information
ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables.net.ipv6.conf.default.accept_redirects controls accepting of all IPv6 ICMP redirected packets on a newly added network interface.
More information about the kernel parameter configuration files, their location, and load preference is available in the "Configure Network Kernel Parameters" section overview.
Note: If IPv6 has been disabled, or this system is a router, this recommendation is not applicable.
ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables.
By setting net.ipv6.conf.default.accept_redirects to 0, the system will not accept IPv6 ICMP redirect messages on a newly added network interface.
Solution
- Run the following command to comment out net.ipv6.conf.default.accept_redirects lines returned by the audit procedure that are not net.ipv6.conf.default.accept_redirects = 0 :# sed -ri '^\s*net.ipv6.conf.default.accept_redirects\s*=\s*1/s/^/#/g' "path/to/file/in/audit/filename"
Example:
# sed -ri '/^\s*net.ipv6.conf.default.accept_redirects\s*=\s*1/s/^/#/g' /etc/sysctl.d/99-sysctl.conf
- Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or add the following line:
net.ipv6.conf.default.accept_redirects = 0
Example:
# [ ! -d "/etc/sysctl.d/" ] && mkdir -p /etc/sysctl.d/
# printf '%s\n' "" "net.ipv6.conf.default.accept_redirects = 0" >> /etc/sysctl.d/60-ipv6_sysctl.conf
- Run the following command to load all sysctl configuration files:
# sysctl --system
See Also
Item Details
Audit Name: CIS Amazon Linux 2 v4.0.0 L1 Server
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CCI|CCI-000366, CSCv7|9.2, Rule-ID|SV-230535r1017297_rule, Rule-ID|SV-235021r991589_rule, Rule-ID|SV-248876r991589_rule, Rule-ID|SV-257976r991589_rule, Rule-ID|SV-269244r1050126_rule, Rule-ID|SV-271882r1092358_rule
Plugin: Unix
Control ID: 212fa0ed7f861f7a29884a6591ec763b014dcd119fc3bf57e091e196e9ef7440