Category: cis

Disable ICMPv6 Redirect Messages in Solaris

Disable ICMPv6 Redirect Messages in Solaris

As CIS requirements, ICMPv6 Redirect Messages should be disabled in Solaris.

Steps

Download two following files

cis_netconfig.sh
cis_netconfig.xml

Following commands are copied from CIS document, which is not clean. Just for reference.

cat > cis_netconfig.sh << END
#!/sbin/sh
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip6_forward_src_routed 0
ndd -set /dev/tcp tcp_rev_src_routes 0
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/tcp tcp_conn_req_max_q0 4096
ndd -set /dev/tcp tcp_conn_req_max_q 1024
ndd -set /dev/ip ip_respond_to_timestamp 0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
ndd -set /dev/ip ip_respond_to_echo_multicast 0
ndd -set /dev/ip ip6_respond_to_echo_multicast 0
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
ndd -set /dev/arp arp_cleanup_interval 60000
ndd -set /dev/ip ip_ire_arp_interval 60000
ndd -set /dev/ip ip_ignore_redirect 1
ndd -set /dev/ip ip6_ignore_redirect 1
ndd -set /dev/tcp tcp_extra_priv_ports_add 6112
ndd -set /dev/ip ip_strict_dst_multihoming 1
ndd -set /dev/ip ip6_strict_dst_multihoming 1
ndd -set /dev/ip ip_send_redirects 0
ndd -set /dev/ip ip6_send_redirects 0
END
chmod +x cis_netconfig.sh
cat > cis_netconfig.xml << END
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type='manifest' name='CIS:cis_netconfig'>
  <service name='site/cis_netconfig' type='service' version='1'>
    <create_default_instance enabled='true' />
    <single_instance />

    <dependency name='usr' type='service' grouping='require_all' restart_on='none'>
      <service_fmri value='svc:/system/filesystem/minimal' />
    </dependency>

    <!-- Run ndd commands after network/physical is plumbed. -->
    <dependency name='network-physical' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/network/physical' />
    </dependency>

    <!-- but run the commands before network/initial -->
    <dependent name='ndd_network- initial' grouping='optional_all' restart_on='none'>
      <service_fmri value='svc:/network/initial' />
    </dependent>

    <exec_method type='method' name='start' exec='/lib/svc/method/cis_netconfig.sh' timeout_seconds='60' />
    <exec_method type='method' name='stop' exec=':true' timeout_seconds='60' />
    <property_group name='startd' type='framework'>
       <propval name='duration' type='astring' value='transient' />
    </property_group>

    <stability value='Unstable' />
    <template>
      <common_name>
        <loctext xml:lang='C'> CIS IP Network Parameter Set </loctext>
      </common_name>
    </template>
  </service>
</service_bundle>
END
cp cis_netconfig.sh /lib/svc/method
chmod 750 /lib/svc/method/cis_netconfig.sh
svccfg import cis_netconfig.xml

Create a service

# cp cis_netconfig.sh /lib/svc/method
# chmod 750 /lib/svc/method/cis_netconfig.sh
# svccfg import cis_netconfig.xml

References

CIS Oracle Solaris 10 Benchmark v5.2.0 - 09-02-2015 - Local Cache