MEDIUM RHCOS (Node) M22: Network Sysctl Hardening P3

Verified CNF-23524 Compare Branch Synced: 2026-05-04

Remediation required. This group (20 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.

Overview

Hardens IPv4 and IPv6 network stack parameters to prevent routing attacks, source address spoofing, and ICMP-based reconnaissance. Disables redirects, source routing, and router advertisements on all interfaces.

Profile: NIST 800-53 Moderate (rhcos4-moderate)

Compliance Checks

Check Description
net-ipv4-conf-all-accept-redirects=0 Reject ICMP redirects (all)
net-ipv4-conf-all-accept-source-route=0 Reject source-routed packets (all)
net-ipv4-conf-all-log-martians=1 Log martian packets (all)
net-ipv4-conf-all-rp-filter=1 Enable reverse path filtering (all)
net-ipv4-conf-all-secure-redirects=0 Reject secure redirects (all)
net-ipv4-conf-all-send-redirects=0 Don’t send redirects (all)
net-ipv4-conf-default-accept-redirects=0 Reject ICMP redirects (default)
net-ipv4-conf-default-log-martians=1 Log martian packets (default)
net-ipv4-conf-default-rp-filter=1 Enable reverse path filtering (default)
net-ipv4-conf-default-secure-redirects=0 Reject secure redirects (default)
net-ipv4-conf-default-send-redirects=0 Don’t send redirects (default)
net-ipv4-icmp-echo-ignore-broadcasts=1 Ignore broadcast ICMP echo
net-ipv4-icmp-ignore-bogus-error-responses=1 Ignore bogus ICMP errors
net-ipv4-tcp-syncookies=1 Enable TCP SYN cookies
net-ipv6-conf-all-accept-ra=0 Reject IPv6 router advertisements (all)
net-ipv6-conf-all-accept-redirects=0 Reject IPv6 redirects (all)
net-ipv6-conf-all-accept-source-route=0 Reject IPv6 source routes (all)
net-ipv6-conf-default-accept-ra=0 Reject IPv6 router advertisements (default)
net-ipv6-conf-default-accept-redirects=0 Reject IPv6 redirects (default)
net-ipv6-conf-default-accept-source-route=0 Reject IPv6 source routes (default)

Verification

oc debug node/<node> -- chroot /host sysctl -a | grep -E 'accept_redirects|accept_source_route|log_martians|rp_filter|send_redirects'

Upstream Proposal

The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:

Setting Scope Target Repo Target File Rationale Risk
20 IPv4/IPv6 network sysctl values All OCP openshift/os
View Proposed Change 		/usr/lib/sysctl.d/50-network-hardening.conf Standard CIS/STIG network hardening: disable redirects, source routing, enable martian logging, syncookies. Universal for servers.
Scope: Standard CIS/STIG network hardening. Universally recommended for all servers. No legitimate reason to accept ICMP redirects on a Kubernetes node. 		Low
← M21 All Groups M23 →
Legend
Status
🔵 In Progress
🟡 Pending
On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only