Implemented: V-38526.

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. This feature is disabled by default as is configurable by ``security_disable_icmpv4_redirects_secure`` variable. Change-Id: I1e319e158c8e8cac04053993083c19c845a37849
2016-08-18 08:26:56 -05:00 · 2016-08-18 08:26:56 -05:00 · 704e1c85a9
commit 704e1c85a9
parent 36e7d54a27
4 changed files with 31 additions and 11 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -214,6 +214,7 @@ security_disable_module_sctp: yes                 # V-38515
 security_disable_module_tipc: yes                 # V-38517
 security_disable_module_usb_storage: no           # V-38490
 security_disable_icmpv4_redirects: no             # V-38524
+security_disable_icmpv4_redirects_secure: no      # V-38526
 #
 # ** DANGER **
 # It's strongly recommended to fully understand the effects of changing the
--- a/doc/source/stig-notes/V-38526_developer.rst
+++ b/doc/source/stig-notes/V-38526_developer.rst
@ -1,13 +1,12 @@
-**Exception**
+**Opt-in required**

-The STIG makes several requirements for IPv4 network restrictions, but these
-restrictions can impact certain network interfaces and cause service
-disruptions. Some security configurations make sense for certain types of
-network interfaces, like bridges, but other restrictions cause the network
-interface to stop passing valid traffic between hosts, containers, or virtual
-machines.
+The STIG requires that secure ICMP redirects are disabled, but this can cause
+issues in some virtualized or containerized environments. The Ansible tasks
+in the security role will not disable these redirects by default.

-The default network scripts and LXC userspace tools already configure various
-network devices to their most secure setting. Since some hosts will act as
-routers, enabling security configurations that restrict network traffic can
-cause service disruptions for OpenStack environments.
+Deployers who want to enable the task (and disable ICMP redirects), should set
+the following Ansible variable:
+
+.. code-block:: yaml
+
+   security_disable_icmpv4_redirects_secure: yes
--- a/releasenotes/notes/adding-v38526-381a407caa566b14.yaml
+++ b/releasenotes/notes/adding-v38526-381a407caa566b14.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - |
+    A task was added to disable secure ICMP redirects per the requirements in
+    V-38526. This change can cause problems in some environments, so it is
+    disabled by default. Deployers can enable the task (which disables secure
+    ICMP redirects) by setting ``security_disable_icmpv4_redirects_secure`` to
+    ``yes``.
--- a/tasks/kernel.yml
+++ b/tasks/kernel.yml
@ -196,3 +196,15 @@
    - kernel
    - cat3
    - CVE-2016-5696
+
+- name: V-38526 - The system must not accept ICMPv4 secure redirect packets on any interface
+  sysctl:
+    name: net.ipv4.conf.all.secure_redirects
+    value: 0
+    state: present
+    sysctl_set: yes
+  when: security_disable_icmpv4_redirects_secure | bool
+  tags:
+    - kernel
+    - cat2
+    - V-38526