3.2.3 Ensure secure ICMP redirects are not accepted - 'net.ipv4.conf.default.secure_redirects = 0 sysctl'

Information

It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways.

Solution

Set the following parameters in the /etc/sysctl.conf file - net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set the active kernel parameters - # sysctl -w net.ipv4.conf.all.secure_redirects=0
# sysctl -w net.ipv4.conf.default.secure_redirects=0
# sysctl -w net.ipv4.route.flush=1

See Also

https://workbench.cisecurity.org/files/1863

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv6|9.2

Plugin: Unix

Control ID: 9465bbe8bcf58f26f7ca8dfea7978eb01bcb25f5c154677205f869c218530fea