3.2.2 Ensure ICMP redirects are not accepted (Scored)
Profile Applicability
Level 1 - Server Level 1 - Workstation
Description
ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting ““net.ipv4.conf.all.accept_redirects”” to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables.
Rationale
Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured.
Audit
Run the following command and verify output matches:
# sysctl net.ipv4.conf.all.accept_redirects net.ipv4.conf.all.accept_redirects = 0 # sysctl net.ipv4.conf.default.accept_redirects net.ipv4.conf.default.accept_redirects = 0
Remediation
Set the following parameter in the “/etc/sysctl.conf” file:
net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1