MEDIUM M22: Network Sysctl Hardening P3
Overview
Hardens IPv4 and IPv6 network stack parameters to prevent routing attacks, source address spoofing, and ICMP-based reconnaissance. Disables redirects, source routing, and router advertisements on all interfaces.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
net-ipv4-conf-all-accept-redirects=0 |
Reject ICMP redirects (all) |
net-ipv4-conf-all-accept-source-route=0 |
Reject source-routed packets (all) |
net-ipv4-conf-all-log-martians=1 |
Log martian packets (all) |
net-ipv4-conf-all-rp-filter=1 |
Enable reverse path filtering (all) |
net-ipv4-conf-all-secure-redirects=0 |
Reject secure redirects (all) |
net-ipv4-conf-all-send-redirects=0 |
Don’t send redirects (all) |
net-ipv4-conf-default-accept-redirects=0 |
Reject ICMP redirects (default) |
net-ipv4-conf-default-log-martians=1 |
Log martian packets (default) |
net-ipv4-conf-default-rp-filter=1 |
Enable reverse path filtering (default) |
net-ipv4-conf-default-secure-redirects=0 |
Reject secure redirects (default) |
net-ipv4-conf-default-send-redirects=0 |
Don’t send redirects (default) |
net-ipv4-icmp-echo-ignore-broadcasts=1 |
Ignore broadcast ICMP echo |
net-ipv4-icmp-ignore-bogus-error-responses=1 |
Ignore bogus ICMP errors |
net-ipv4-tcp-syncookies=1 |
Enable TCP SYN cookies |
net-ipv6-conf-all-accept-ra=0 |
Reject IPv6 router advertisements (all) |
net-ipv6-conf-all-accept-redirects=0 |
Reject IPv6 redirects (all) |
net-ipv6-conf-all-accept-source-route=0 |
Reject IPv6 source routes (all) |
net-ipv6-conf-default-accept-ra=0 |
Reject IPv6 router advertisements (default) |
net-ipv6-conf-default-accept-redirects=0 |
Reject IPv6 redirects (default) |
net-ipv6-conf-default-accept-source-route=0 |
Reject IPv6 source routes (default) |
Verification
oc debug node/<node> -- chroot /host sysctl -a | grep -E 'accept_redirects|accept_source_route|log_martians|rp_filter|send_redirects'