Disable ICMPv6 Redirect Messages in Solaris

Posted on by Bian Xi

Disable ICMPv6 Redirect Messages in Solaris

As CIS requirements, ICMPv6 Redirect Messages should be disabled in Solaris.

Steps

Download two following files

cis_netconfig.sh
cis_netconfig.xml

Following commands are copied from CIS document, which is not clean. Just for reference.

cat > cis_netconfig.sh << END
#!/sbin/sh
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip6_forward_src_routed 0
ndd -set /dev/tcp tcp_rev_src_routes 0
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/tcp tcp_conn_req_max_q0 4096
ndd -set /dev/tcp tcp_conn_req_max_q 1024
ndd -set /dev/ip ip_respond_to_timestamp 0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
ndd -set /dev/ip ip_respond_to_echo_multicast 0
ndd -set /dev/ip ip6_respond_to_echo_multicast 0
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
ndd -set /dev/arp arp_cleanup_interval 60000
ndd -set /dev/ip ip_ire_arp_interval 60000
ndd -set /dev/ip ip_ignore_redirect 1
ndd -set /dev/ip ip6_ignore_redirect 1
ndd -set /dev/tcp tcp_extra_priv_ports_add 6112
ndd -set /dev/ip ip_strict_dst_multihoming 1
ndd -set /dev/ip ip6_strict_dst_multihoming 1
ndd -set /dev/ip ip_send_redirects 0
ndd -set /dev/ip ip6_send_redirects 0
END
chmod +x cis_netconfig.sh
cat > cis_netconfig.xml << END
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type='manifest' name='CIS:cis_netconfig'>
  <service name='site/cis_netconfig' type='service' version='1'>
    <create_default_instance enabled='true' />
    <single_instance />

    <dependency name='usr' type='service' grouping='require_all' restart_on='none'>
      <service_fmri value='svc:/system/filesystem/minimal' />
    </dependency>

    <!-- Run ndd commands after network/physical is plumbed. -->
    <dependency name='network-physical' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/network/physical' />
    </dependency>

    <!-- but run the commands before network/initial -->
    <dependent name='ndd_network- initial' grouping='optional_all' restart_on='none'>
      <service_fmri value='svc:/network/initial' />
    </dependent>

    <exec_method type='method' name='start' exec='/lib/svc/method/cis_netconfig.sh' timeout_seconds='60' />
    <exec_method type='method' name='stop' exec=':true' timeout_seconds='60' />
    <property_group name='startd' type='framework'>
       <propval name='duration' type='astring' value='transient' />
    </property_group>

    <stability value='Unstable' />
    <template>
      <common_name>
        <loctext xml:lang='C'> CIS IP Network Parameter Set </loctext>
      </common_name>
    </template>
  </service>
</service_bundle>
END
cp cis_netconfig.sh /lib/svc/method
chmod 750 /lib/svc/method/cis_netconfig.sh
svccfg import cis_netconfig.xml

Create a service

# cp cis_netconfig.sh /lib/svc/method
# chmod 750 /lib/svc/method/cis_netconfig.sh
# svccfg import cis_netconfig.xml

References

CIS Oracle Solaris 10 Benchmark v5.2.0 - 09-02-2015 - Local Cache

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


The reCAPTCHA verification period has expired. Please reload the page.