Implemented: V-38548.

This patch disables ICMPv6 redirects feature on the host. Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required. It is configurable by ``security_disable_icmpv6_redirects`` variable. This feature is disabled by default. Change-Id: I12049973d351aee76b95153779c6545e4c7cf00c
2016-08-18 08:18:39 -05:00 · 2016-08-18 08:18:39 -05:00 · 31823b7647
commit 31823b7647
parent fb33be7e68
4 changed files with 35 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -215,6 +215,7 @@ security_disable_module_tipc: yes                 # V-38517
 security_disable_module_usb_storage: no           # V-38490
 security_disable_icmpv4_redirects: no             # V-38524
 security_disable_icmpv4_redirects_secure: no      # V-38526
+security_disable_icmpv6_redirects: no             # V-38548
 #
 # ** DANGER **
 # It's strongly recommended to fully understand the effects of changing the
--- a/doc/source/stig-notes/V-38548_developer.rst
+++ b/doc/source/stig-notes/V-38548_developer.rst
@ -1,4 +1,15 @@
-**Exception**
+**Opt-in required**

-Disabling IPv6 redirects can cause issues with OpenStack environments which
-have IPv6 enabled and are routing IPv6 traffic.
+Accepting ICMP redirects has few legitimate uses. It should be disabled unless
+it is absolutely required.
+
+It is configurable by ``security_disable_icmpv6_redirects`` variable. This
+feature is disabled by default. Disabling IPv6 redirects can cause issues with
+OpenStack environments which have IPv6 enabled and are routing IPv6 traffic.
+
+Deployers can opt-in to this change and disable ICMPv6 redirects by setting
+the following Ansible variable:
+
+.. code-block:: yaml
+
+   security_disable_icmpv6_redirects: yes
--- a/releasenotes/notes/adding-v38548-9c51b30bf9780ff3.yaml
+++ b/releasenotes/notes/adding-v38548-9c51b30bf9780ff3.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - |
+    A new task was added to disable ICMPv6 redirects per the requirements in
+    V-38548. However, since this change can cause problems in running OpenStack
+    environments, it is disabled by default. Deployers who wish to enable this
+    task (and disable ICMPv6 redirects) should set
+    ``security_disable_icmpv6_redirects`` to ``yes``.
--- a/tasks/kernel.yml
+++ b/tasks/kernel.yml
@ -208,3 +208,15 @@
    - kernel
    - cat2
    - V-38526
+
+- name: V-38548 - The system must ignore ICMPv6 redirects by default
+  sysctl:
+    name: net.ipv6.conf.all.accept_redirects
+    value: 0
+    state: present
+    sysctl_set: yes
+  when: security_disable_icmpv6_redirects | bool
+  tags:
+    - kernel
+    - cat2
+    - V-38548