Implemented: V-38548.

This patch disables ICMPv6 redirects feature on the host.
Accepting ICMP redirects has few legitimate uses.
It should be disabled unless it is absolutely required.

It is configurable by ``security_disable_icmpv6_redirects`` variable.
This feature is disabled by default.

Change-Id: I12049973d351aee76b95153779c6545e4c7cf00c
This commit is contained in:
Major Hayden 2016-08-18 08:18:39 -05:00
parent fb33be7e68
commit 31823b7647
4 changed files with 35 additions and 3 deletions

View File

@ -215,6 +215,7 @@ security_disable_module_tipc: yes # V-38517
security_disable_module_usb_storage: no # V-38490
security_disable_icmpv4_redirects: no # V-38524
security_disable_icmpv4_redirects_secure: no # V-38526
security_disable_icmpv6_redirects: no # V-38548
#
# ** DANGER **
# It's strongly recommended to fully understand the effects of changing the

View File

@ -1,4 +1,15 @@
**Exception**
**Opt-in required**
Disabling IPv6 redirects can cause issues with OpenStack environments which
have IPv6 enabled and are routing IPv6 traffic.
Accepting ICMP redirects has few legitimate uses. It should be disabled unless
it is absolutely required.
It is configurable by ``security_disable_icmpv6_redirects`` variable. This
feature is disabled by default. Disabling IPv6 redirects can cause issues with
OpenStack environments which have IPv6 enabled and are routing IPv6 traffic.
Deployers can opt-in to this change and disable ICMPv6 redirects by setting
the following Ansible variable:
.. code-block:: yaml
security_disable_icmpv6_redirects: yes

View File

@ -0,0 +1,8 @@
---
features:
- |
A new task was added to disable ICMPv6 redirects per the requirements in
V-38548. However, since this change can cause problems in running OpenStack
environments, it is disabled by default. Deployers who wish to enable this
task (and disable ICMPv6 redirects) should set
``security_disable_icmpv6_redirects`` to ``yes``.

View File

@ -208,3 +208,15 @@
- kernel
- cat2
- V-38526
- name: V-38548 - The system must ignore ICMPv6 redirects by default
sysctl:
name: net.ipv6.conf.all.accept_redirects
value: 0
state: present
sysctl_set: yes
when: security_disable_icmpv6_redirects | bool
tags:
- kernel
- cat2
- V-38548