Implemented: V-38526.

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. This feature is disabled by default as is configurable by ``security_disable_icmpv4_redirects_secure`` variable. Change-Id: I1e319e158c8e8cac04053993083c19c845a37849
2016-08-18 08:26:56 -05:00 · 2016-08-18 08:26:56 -05:00 · 704e1c85a9
commit 704e1c85a9
parent 36e7d54a27
4 changed files with 31 additions and 11 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -214,6 +214,7 @@ security_disable_module_sctp: yes                 # V-38515
 security_disable_module_tipc: yes                 # V-38517
 security_disable_module_usb_storage: no           # V-38490
 security_disable_icmpv4_redirects: no             # V-38524
 security_disable_icmpv4_redirects_secure: no      # V-38526
 #
 # ** DANGER **
 # It's strongly recommended to fully understand the effects of changing the
--- a/doc/source/stig-notes/V-38526_developer.rst
+++ b/doc/source/stig-notes/V-38526_developer.rst
@ -1,13 +1,12 @@
-**Exception**
+**Opt-in required**
-The STIG makes several requirements for IPv4 network restrictions, but these
+The STIG requires that secure ICMP redirects are disabled, but this can cause
-restrictions can impact certain network interfaces and cause service
+issues in some virtualized or containerized environments. The Ansible tasks
-disruptions. Some security configurations make sense for certain types of
+in the security role will not disable these redirects by default.
 network interfaces, like bridges, but other restrictions cause the network
 interface to stop passing valid traffic between hosts, containers, or virtual
 machines.
-The default network scripts and LXC userspace tools already configure various
+Deployers who want to enable the task (and disable ICMP redirects), should set
-network devices to their most secure setting. Since some hosts will act as
+the following Ansible variable:
-routers, enabling security configurations that restrict network traffic can
+
-cause service disruptions for OpenStack environments.
+.. code-block:: yaml
   security_disable_icmpv4_redirects_secure: yes
--- a/releasenotes/notes/adding-v38526-381a407caa566b14.yaml
+++ b/releasenotes/notes/adding-v38526-381a407caa566b14.yaml
@ -0,0 +1,8 @@
 ---
 features:
  - |
    A task was added to disable secure ICMP redirects per the requirements in
    V-38526. This change can cause problems in some environments, so it is
    disabled by default. Deployers can enable the task (which disables secure
    ICMP redirects) by setting ``security_disable_icmpv4_redirects_secure`` to
    ``yes``.
--- a/tasks/kernel.yml
+++ b/tasks/kernel.yml
@ -196,3 +196,15 @@
    - kernel
    - cat3
    - CVE-2016-5696
 - name: V-38526 - The system must not accept ICMPv4 secure redirect packets on any interface
  sysctl:
    name: net.ipv4.conf.all.secure_redirects
    value: 0
    state: present
    sysctl_set: yes
  when: security_disable_icmpv4_redirects_secure | bool
  tags:
    - kernel
    - cat2
    - V-38526