From 75d7af83ce415f7831da99c9cda7e9c51dce09b9 Mon Sep 17 00:00:00 2001 From: Knut Ahlers Date: Wed, 28 Aug 2024 18:41:29 +0200 Subject: [PATCH] Resolve cnspec warnings for ICMP redirects Signed-off-by: Knut Ahlers --- PKGBUILD | 2 +- base/usr/share/luzifer/base-setup/files/sysctl.conf | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/PKGBUILD b/PKGBUILD index 456a5b7..8db5646 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -7,7 +7,7 @@ pkgname=( luzifer-gui luzifer-lenovo-gui ) -pkgver=0.11.0 +pkgver=0.11.1 pkgrel=1 pkgdesc='System configuration for @luzifer systems' arch=(any) diff --git a/base/usr/share/luzifer/base-setup/files/sysctl.conf b/base/usr/share/luzifer/base-setup/files/sysctl.conf index f186889..0c5830a 100644 --- a/base/usr/share/luzifer/base-setup/files/sysctl.conf +++ b/base/usr/share/luzifer/base-setup/files/sysctl.conf @@ -8,3 +8,13 @@ net.ipv4.conf.default.rp_filter = 1 # CNSPEC: Ensure core dumps are restricted fs.suid_dumpable = 0 + +# CNSPEC: Ensure ICMP redirects are not accepted +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 + +# CNSPEC: Ensure secure ICMP redirects are not accepted +net.ipv4.conf.all.secure_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0