Run the following script to verify the following kernel parameters are set in the running configuration and correctly loaded from a kernel parameter configuration file:
- net.ipv4.conf.all.accept_source_route is set to 0
- net.ipv4.conf.default.accept_source_route is set to 0
- net.ipv6.conf.all.accept_source_route is set to 0
- net.ipv6.conf.default.accept_source_route is set to 0
Note:
- kernel parameters are loaded by file and parameter order precedence. The following script observes this precedence as part of the auditing procedure. The parameters being checked may be set correctly in a file. If that file is superseded, the parameter is overridden by an incorrect setting later in that file, or in a canonically later file, that "correct" setting will be ignored both by the script and by the system during a normal kernel parameter load sequence.
- IPv6 kernel parameters only apply to systems where IPv6 is enabled
#!/usr/bin/env bash{a_output=();a_output2=();l_ipv6_disabled=""a_parlist=("net.ipv4.conf.all.accept_source_route=0""net.ipv4.conf.default.accept_source_route=0""net.ipv6.conf.all.accept_source_route=0""net.ipv6.conf.default.accept_source_route=0")l_ufwscf="$([-f/etc/default/ufw]&&awk-F='/^\s*IPT_SYSCTL=/ {print $2}'/etc/default/ufw)"f_ipv6_chk(){l_ipv6_disabled="no"!grep-Pqs--'^\h*0\b'/sys/module/ipv6/parameters/disable&&l_ipv6_disabled="yes"ifsysctlnet.ipv6.conf.all.disable_ipv6|grep-Pqs--"^\h*net\.ipv6\.conf\.all\.disable_ipv6\h*=\h*1\b"&&\sysctlnet.ipv6.conf.default.disable_ipv6|grep-Pqs--"^\h*net\.ipv6\.conf\.default\.disable_ipv6\h*=\h*1\b";thenl_ipv6_disabled="yes"fi}f_kernel_parameter_chk(){l_running_parameter_value="$(sysctl"$l_parameter_name"|awk-F='{print $2}'|xargs)"# Check running configurationifgrep-Pq--'\b'"$l_parameter_value"'\b'<<<"$l_running_parameter_value";thena_output+=(" - \"$l_parameter_name\" is correctly set to \"$l_running_parameter_value\"""in the running configuration")elsea_output2+=(" - \"$l_parameter_name\" is incorrectly set to \"$l_running_parameter_value\""\"intherunningconfiguration" \"and should have a value of: \"$l_value_out\"")fiunsetA_out;declare-AA_out# Check durable setting (files)whileread-rl_out;doif[-n"$l_out"];thenif[[$l_out=~^\s*#]];thenl_file="${l_out//# /}"elsel_kpar="$(awk-F='{print $1}'<<<"$l_out"|xargs)"["$l_kpar"="$l_parameter_name"]&&A_out+=(["$l_kpar"]="$l_file")fifidone<<("$l_systemdsysctl"--cat-config|grep-Po'^\h*([^#\n\r]+|#\h*\/[^#\n\r\h]+\.conf\b)')if[-n"$l_ufwscf"];then# Account for systems with UFW (Not covered by systemd-sysctl --cat-config)l_kpar="$(grep-Po"^\h*$l_parameter_name\b""$l_ufwscf"|xargs)"l_kpar="${l_kpar//\//.}"["$l_kpar"="$l_parameter_name"]&&A_out+=(["$l_kpar"]="$l_ufwscf")fiif((${#A_out[@]}>0));then# Assess output from files and generate outputwhileIFS="="read-rl_fkpnamel_file_parameter_value;dol_fkpname="${l_fkpname// /}";l_file_parameter_value="${l_file_parameter_value// /}"ifgrep-Pq--'\b'"$l_parameter_value"'\b'<<<"$l_file_parameter_value";thena_output+=(" - \"$l_parameter_name\" is correctly set to \"$l_file_parameter_value\""\"in\"$(printf'%s'"${A_out[@]}")\"")elsea_output2+=("-\"$l_parameter_name\"isincorrectlysetto\"$l_file_parameter_value\"" "in\"$(printf'%s'"${A_out[@]}")\"" \"and should have a value of: \"$l_value_out\"")fidone<<(grep-Po--"^\h*$l_parameter_name\h*=\h*\H+""${A_out[@]}")elsea_output2+=(" - \"$l_parameter_name\" is not set in an included file"\"**Note:\"$l_parameter_name\"Maybesetinafilethat's ignored by load procedure **")fi}l_systemdsysctl="$(readlink -f /lib/systemd/systemd-sysctl)"while IFS="=" read -r l_parameter_name l_parameter_value; do # Assess and check parametersl_parameter_name="${l_parameter_name// /}";l_parameter_value="${l_parameter_value// /}"l_value_out="${l_parameter_value//-/ through }";l_value_out="${l_value_out//|/ or }"l_value_out="$(tr -d '(){}' <<< "$l_value_out")"if grep -q '^net.ipv6.' <<< "$l_parameter_name"; then[ -z "$l_ipv6_disabled" ] && f_ipv6_chkif [ "$l_ipv6_disabled" = "yes" ]; thena_output+=(" - IPv6 is disabled on the system, \"$l_parameter_name\" is not applicable")elsef_kernel_parameter_chkfielsef_kernel_parameter_chkfidone < <(printf '%s\n' "${a_parlist[@]}")if [ "${#a_output2[@]}" -le 0 ]; thenprintf '%s\n' "" "- Audit Result:" " ** PASS **" "${a_output[@]}" ""elseprintf '%s\n' "" "- Audit Result:" " ** FAIL **" " - Reason(s) for audit failure:" "${a_output2[@]}"[ "${#a_output[@]}" -gt 0 ] && printf '%s\n'"""- Correctly set:""${a_output[@]}"""fi}
Set the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending in .conf:
- net.ipv4.conf.all.accept_source_route = 0
- net.ipv4.conf.default.accept_source_route = 0
- IF - IPv6 is enabled on the system:
Set the following parameter in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending in .conf:
- net.ipv6.conf.all.accept_source_route = 0
- net.ipv6.conf.default.accept_source_route = 0