CME-903

Kernel Network Hardening (sysctl)

Harden Network High Confidence

Description

Kernel network stack hardening via sysctl: enable SYN cookies (TCP SYN flood protection), disable IP forwarding, reject source-routed packets, ignore ICMP redirects, enable reverse path filtering.

CVSS Vector Impacts

Metric Transition Rationale
Attack Complexity (AC) L H Network-level attacks (SYN flood, source routing, ICMP redirect) are blocked

CWE Relationships

CWE-284 CWE-940 CWE-350

Verification

Check network hardening sysctls

$ sysctl net.ipv4.tcp_syncookies
# Expected: net.ipv4.tcp_syncookies = 1
Platform: linux
$ sysctl net.ipv4.conf.all.accept_redirects
# Expected: net.ipv4.conf.all.accept_redirects = 0
Platform: linux
$ sysctl net.ipv4.conf.all.rp_filter
# Expected: net.ipv4.conf.all.rp_filter = 1
Platform: linux

References

  • Red Hat Security Hardening Guide — Network security
  • CIS RHEL 9 Benchmark — 3.2 Network Parameters
← CME-902: Disable Unused Network Services CME-904: WAF (Web Application Firewall) →