3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
Profile Applicability
Level 1 - Server Level 1 - Workstation
Description
Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure.
Rationale
It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects
to 0 protects the system from routing table updates by possibly compromised known gateways.
Audit
Run the following command and verify output matches:
# sysctl net.ipv4.conf.all.secure_redirects net.ipv4.conf.all.secure_redirects = 0 # sysctl net.ipv4.conf.default.secure_redirects net.ipv4.conf.default.secure_redirects = 0
Remediation
Set the following parameter in the /etc/sysctl.conf
file:
net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1