Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
Description
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_redirects = 0
Rationale
ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host’s route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should
be disabled unless absolutely required.
Shell script
The following script can be run on the host to remediate the issue.
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv4.conf.default.accept\_redirects from /etc/sysctl.d/\*.conf files
for f in /etc/sysctl.d/\*.conf /run/sysctl.d/\*.conf /usr/local/lib/sysctl.d/\*.conf /usr/lib/sysctl.d/\*.conf; do
matching\_list=$(grep -P '^(?!#).\*[\s]\*net.ipv4.conf.default.accept\_redirects.\*$' $f | uniq )
if ! test -z "$matching\_list"; then
while IFS= read -r entry; do
escaped\_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv4.conf.default.accept\_redirects" matches to preserve user data
sed -i "s/^${escaped\_entry}$/# &/g" $f
done <<< "$matching\_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG\_FILE="/etc/sysctl.conf"
sysctl\_net\_ipv4\_conf\_default\_accept\_redirects\_value=''
#
# Set runtime for net.ipv4.conf.default.accept\_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept\_redirects="$sysctl\_net\_ipv4\_conf\_default\_accept\_redirects\_value"
#
# If net.ipv4.conf.default.accept\_redirects present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.default.accept\_redirects = value" to /etc/sysctl.conf
#
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped\_key=$(sed 's/[\^=\$,;+]\*//g' <<< "^net.ipv4.conf.default.accept\_redirects")
# shellcheck disable=SC2059
printf -v formatted\_output "%s = %s" "$stripped\_key" "$sysctl\_net\_ipv4\_conf\_default\_accept\_redirects\_value"
# If the key exists, change it. Otherwise, add it to the config\_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC\_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.accept\_redirects\\>" "${SYSCONFIG\_FILE}"; then
escaped\_formatted\_output=$(sed -e 's|/|\\/|g' <<< "$formatted\_output")
LC\_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.accept\_redirects\\>.\*/$escaped\_formatted\_output/gi" "${SYSCONFIG\_FILE}"
else
if [[ -s "${SYSCONFIG\_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG\_FILE}" || true)" ]]; then
LC\_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG\_FILE}"
fi
printf '%s\n' "$formatted\_output" >> "${SYSCONFIG\_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: List /etc/sysctl.d/\*.conf files
find:
paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
- /usr/lib/sysctl.d/
contains: ^[\s]\*net.ipv4.conf.default.accept\_redirects.\*$
patterns: '\*.conf'
file\_type: any
register: find\_sysctl\_d
when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CJIS-5.10.1.1
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- disable\_strategy
- low\_complexity
- medium\_disruption
- medium\_severity
- reboot\_required
- sysctl\_net\_ipv4\_conf\_default\_accept\_redirects
- name: Comment out any occurrences of net.ipv4.conf.default.accept\_redirects from
config files
replace:
path: '{{ item.path }}'
regexp: ^[\s]\*net.ipv4.conf.default.accept\_redirects
replace: '#net.ipv4.conf.default.accept\_redirects'
loop: '{{ find\_sysctl\_d.files }}'
when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CJIS-5.10.1.1
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- disable\_strategy
- low\_complexity
- medium\_disruption
- medium\_severity
- reboot\_required
- sysctl\_net\_ipv4\_conf\_default\_accept\_redirects
- name: XCCDF Value sysctl\_net\_ipv4\_conf\_default\_accept\_redirects\_value # promote to variable
set\_fact:
sysctl\_net\_ipv4\_conf\_default\_accept\_redirects\_value: !!str
tags:
- always
- name: Ensure sysctl net.ipv4.conf.default.accept\_redirects is set
sysctl:
name: net.ipv4.conf.default.accept\_redirects
value: '{{ sysctl\_net\_ipv4\_conf\_default\_accept\_redirects\_value }}'
sysctl\_file: /etc/sysctl.conf
state: present
reload: true
when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CJIS-5.10.1.1
- NIST-800-171-3.1.20
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-SC-7(a)
- PCI-DSS-Req-1.4.3
- disable\_strategy
- low\_complexity
- medium\_disruption
- medium\_severity
- reboot\_required
- sysctl\_net\_ipv4\_conf\_default\_accept\_redirects
