Implemented: V-38524.

This patch disables ICMPv4 redirects feature on the host. Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required. It is configurable by `security_disable_icmpv4_redirects`. This feature is disabled by default as it can disrupt LXC deployments. Change-Id: I228f8aa7b0df80cce16e54c5f1e11da678bfd67d
2016-06-03 02:18:30 +02:00 · 2016-06-03 02:18:30 +02:00 · 5112569743
commit 5112569743
parent ecb0329088
3 changed files with 22 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -205,6 +205,7 @@ security_disable_module_rds: yes                  # V-38516
 security_disable_module_sctp: yes                 # V-38515
 security_disable_module_tipc: yes                 # V-38517
 security_disable_module_usb_storage: no           # V-38490
 security_disable_icmpv4_redirects: no             # V-38524
 #
 # ** DANGER **
 # It's strongly recommended to fully understand the effects of changing the
--- a/doc/source/developer-notes/V-38524.rst
+++ b/doc/source/developer-notes/V-38524.rst
@ -1 +0,0 @@
 V-38523.rst
--- a/doc/source/developer-notes/V-38524.rst
+++ b/doc/source/developer-notes/V-38524.rst
@ -0,0 +1,9 @@
 This patch disables ICMPv4 redirects feature on the host.
 Accepting ICMP redirects has few legitimate uses.
 It should be disabled unless it is absolutely required.
 It is configurable by ``security_disable_icmpv4_redirects`` variable.
 This feature is disabled by default as it can disrupt ``LXC`` deployments.
 Deployers can skip or enable this task by setting
 ``security_disable_icmpv4_redirects`` to ``no``  or ``yes``,  respectively.
--- a/tasks/kernel.yml
+++ b/tasks/kernel.yml
@ -173,3 +173,15 @@
    - kernel
    - cat2
    - V-38682
 - name: V-38524 - The system must not accept ICMPv4 redirect packets on any interface
  sysctl:
    name: net.ipv4.conf.all.accept_redirects
    value: 0
    state: present
    sysctl_set: yes
  when: security_disable_icmpv4_redirects | bool
  tags:
    - kernel
    - cat2
    - V-38524