Configure Kernel Parameter for Accepting Secure Redirects By Default

Classification:

compliance

Framework:

Control:

Description

To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.default.secure_redirects = 0

Rationale

Accepting “secure” ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.conf.default.secure\_redirects from /etc/sysctl.d/\*.conf files

for f in /etc/sysctl.d/\*.conf /run/sysctl.d/\*.conf /usr/local/lib/sysctl.d/\*.conf /usr/lib/sysctl.d/\*.conf; do

 matching\_list=$(grep -P '^(?!#).\*[\s]\*net.ipv4.conf.default.secure\_redirects.\*$' $f | uniq )
 if ! test -z "$matching\_list"; then
 while IFS= read -r entry; do
 escaped\_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
 # comment out "net.ipv4.conf.default.secure\_redirects" matches to preserve user data
 sed -i "s/^${escaped\_entry}$/# &/g" $f
 done <<< "$matching\_list"
 fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG\_FILE="/etc/sysctl.conf"

sysctl\_net\_ipv4\_conf\_default\_secure\_redirects\_value=''


#
# Set runtime for net.ipv4.conf.default.secure\_redirects
#
/sbin/sysctl -q -n -w net.ipv4.conf.default.secure\_redirects="$sysctl\_net\_ipv4\_conf\_default\_secure\_redirects\_value"

#
# If net.ipv4.conf.default.secure\_redirects present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv4.conf.default.secure\_redirects = value" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped\_key=$(sed 's/[\^=\$,;+]\*//g' <<< "^net.ipv4.conf.default.secure\_redirects")

# shellcheck disable=SC2059
printf -v formatted\_output "%s = %s" "$stripped\_key" "$sysctl\_net\_ipv4\_conf\_default\_secure\_redirects\_value"

# If the key exists, change it. Otherwise, add it to the config\_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC\_ALL=C grep -q -m 1 -i -e "^net.ipv4.conf.default.secure\_redirects\\>" "${SYSCONFIG\_FILE}"; then
 escaped\_formatted\_output=$(sed -e 's|/|\\/|g' <<< "$formatted\_output")
 LC\_ALL=C sed -i --follow-symlinks "s/^net.ipv4.conf.default.secure\_redirects\\>.\*/$escaped\_formatted\_output/gi" "${SYSCONFIG\_FILE}"
else
 if [[ -s "${SYSCONFIG\_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG\_FILE}" || true)" ]]; then
 LC\_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG\_FILE}"
 fi
 printf '%s\n' "$formatted\_output" >> "${SYSCONFIG\_FILE}"
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: List /etc/sysctl.d/\*.conf files
 find:
 paths:
 - /etc/sysctl.d/
 - /run/sysctl.d/
 - /usr/local/lib/sysctl.d/
 - /usr/lib/sysctl.d/
 contains: ^[\s]\*net.ipv4.conf.default.secure\_redirects.\*$
 patterns: '\*.conf'
 file\_type: any
 register: find\_sysctl\_d
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - NIST-800-171-3.1.20
 - NIST-800-53-CM-7(a)
 - NIST-800-53-CM-7(b)
 - NIST-800-53-SC-5
 - NIST-800-53-SC-7(a)
 - disable\_strategy
 - low\_complexity
 - medium\_disruption
 - medium\_severity
 - reboot\_required
 - sysctl\_net\_ipv4\_conf\_default\_secure\_redirects

- name: Comment out any occurrences of net.ipv4.conf.default.secure\_redirects from
 config files
 replace:
 path: '{{ item.path }}'
 regexp: ^[\s]\*net.ipv4.conf.default.secure\_redirects
 replace: '#net.ipv4.conf.default.secure\_redirects'
 loop: '{{ find\_sysctl\_d.files }}'
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - NIST-800-171-3.1.20
 - NIST-800-53-CM-7(a)
 - NIST-800-53-CM-7(b)
 - NIST-800-53-SC-5
 - NIST-800-53-SC-7(a)
 - disable\_strategy
 - low\_complexity
 - medium\_disruption
 - medium\_severity
 - reboot\_required
 - sysctl\_net\_ipv4\_conf\_default\_secure\_redirects
- name: XCCDF Value sysctl\_net\_ipv4\_conf\_default\_secure\_redirects\_value # promote to variable
 set\_fact:
 sysctl\_net\_ipv4\_conf\_default\_secure\_redirects\_value: !!str 
 tags:
 - always

- name: Ensure sysctl net.ipv4.conf.default.secure\_redirects is set
 sysctl:
 name: net.ipv4.conf.default.secure\_redirects
 value: '{{ sysctl\_net\_ipv4\_conf\_default\_secure\_redirects\_value }}'
 sysctl\_file: /etc/sysctl.conf
 state: present
 reload: true
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - NIST-800-171-3.1.20
 - NIST-800-53-CM-7(a)
 - NIST-800-53-CM-7(b)
 - NIST-800-53-SC-5
 - NIST-800-53-SC-7(a)
 - disable\_strategy
 - low\_complexity
 - medium\_disruption
 - medium\_severity
 - reboot\_required
 - sysctl\_net\_ipv4\_conf\_default\_secure\_redirects