50 lines
1.6 KiB
Plaintext
50 lines
1.6 KiB
Plaintext
|
|
# This file is derived from recommendations made by the Center for Internet
|
|
# Security (CIS) Debian Linux 12 benchmark, v1.1.0.
|
|
|
|
# 3.3 Configure Network Kernel Parameters
|
|
|
|
# 3.3.1 Ensure ip forwarding is disabled
|
|
net.ipv4.ip_forward = 0
|
|
net.ipv6.conf.all.forward = 0
|
|
|
|
# 3.3.3 Ensure packet redirect sending is disabled
|
|
net.ipv4.conf.all.send_redirects = 0
|
|
net.ipv4.conf.default.send_redirects = 0
|
|
|
|
# 3.3.3 Ensure bogus icmp responses are ignored
|
|
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
|
|
|
# 3.3.4 Ensure broadcast icmp requests are ignored
|
|
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
|
|
|
# 3.3.5 Ensure icmp redirects are not accepted
|
|
net.ipv4.conf.all.accept_redirects = 0
|
|
net.ipv4.conf.default.accept_redirects = 0
|
|
net.ipv6.conf.all.accept_redirects = 0
|
|
net.ipv6.conf.default.accept_redirects = 0
|
|
|
|
# 3.3.6 Ensure secure icmp redirects are not accepted
|
|
net.ipv4.conf.all.secure_redirects = 0
|
|
net.ipv4.conf.default.secure_redirects = 0
|
|
|
|
# 3.3.7 Ensure reverse path filtering is enabled
|
|
net.ipv4.conf.all.rp_filter = 1
|
|
net.ipv4.conf.default.rp_filter = 1
|
|
|
|
# 3.3.8 Ensure source routed packets are not accepted
|
|
net.ipv4.conf.all.accept_source_route = 0
|
|
net.ipv4.conf.default.accept_source_route = 0
|
|
net.ipv6.conf.all.accept_source_route = 0
|
|
net.ipv6.conf.default.accept_source_route = 0
|
|
|
|
# 3.3.9 Ensure suspicious packets are logged
|
|
net.ipv4.conf.all.log_martians = 1
|
|
net.ipv4.conf.default.log_martians = 1
|
|
|
|
# 3.3.10 Ensure tcp syn cookies is enabled
|
|
net.ipv4.tcp_syncookies = 1
|
|
|
|
# 3.3.11 Ensure ipv6 router advertisements are not accepted
|
|
net.ipv6.conf.all.accept_ra = 0
|
|
net.ipv6.conf.default.accept_ra = 0 |