Merge "Implemented: V-38548."

defaults/main.yml

@@ -215,6 +215,7 @@ security_disable_module_tipc: yes                 # V-38517
 security_disable_module_usb_storage: no           # V-38490
 security_disable_icmpv4_redirects: no             # V-38524
 security_disable_icmpv4_redirects_secure: no      # V-38526
+security_disable_icmpv6_redirects: no             # V-38548
 #
 # ** DANGER **
 # It's strongly recommended to fully understand the effects of changing the

doc/source/stig-notes/V-38548_developer.rst

@@ -1,4 +1,15 @@
-**Exception**
+**Opt-in required**
 
-Disabling IPv6 redirects can cause issues with OpenStack environments which
-have IPv6 enabled and are routing IPv6 traffic.
+Accepting ICMP redirects has few legitimate uses. It should be disabled unless
+it is absolutely required.
+
+It is configurable by ``security_disable_icmpv6_redirects`` variable. This
+feature is disabled by default. Disabling IPv6 redirects can cause issues with
+OpenStack environments which have IPv6 enabled and are routing IPv6 traffic.
+
+Deployers can opt-in to this change and disable ICMPv6 redirects by setting
+the following Ansible variable:
+
+.. code-block:: yaml
+
+   security_disable_icmpv6_redirects: yes

releasenotes/notes/adding-v38548-9c51b30bf9780ff3.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    A new task was added to disable ICMPv6 redirects per the requirements in
+    V-38548. However, since this change can cause problems in running OpenStack
+    environments, it is disabled by default. Deployers who wish to enable this
+    task (and disable ICMPv6 redirects) should set
+    ``security_disable_icmpv6_redirects`` to ``yes``.

tasks/kernel.yml

@@ -208,3 +208,15 @@
     - kernel
     - cat2
     - V-38526
+
+- name: V-38548 - The system must ignore ICMPv6 redirects by default
+  sysctl:
+    name: net.ipv6.conf.all.accept_redirects
+    value: 0
+    state: present
+    sysctl_set: yes
+  when: security_disable_icmpv6_redirects | bool
+  tags:
+    - kernel
+    - cat2
+    - V-38548