Implemented: V-38524.
This patch disables ICMPv4 redirects feature on the host. Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required. It is configurable by `security_disable_icmpv4_redirects`. This feature is disabled by default as it can disrupt LXC deployments. Change-Id: I228f8aa7b0df80cce16e54c5f1e11da678bfd67d
This commit is contained in:
Kamil Boratyński
parent
ecb0329088
commit
5112569743
@ -205,6 +205,7 @@ security_disable_module_rds: yes # V-38516
|
||||
security_disable_module_sctp: yes # V-38515
|
||||
security_disable_module_tipc: yes # V-38517
|
||||
security_disable_module_usb_storage: no # V-38490
|
||||
security_disable_icmpv4_redirects: no # V-38524
|
||||
#
|
||||
# ** DANGER **
|
||||
# It's strongly recommended to fully understand the effects of changing the
|
||||
|
||||
@ -1 +0,0 @@
|
||||
V-38523.rst
|
||||
9
doc/source/developer-notes/V-38524.rst
Normal file
9
doc/source/developer-notes/V-38524.rst
Normal file
@ -0,0 +1,9 @@
|
||||
This patch disables ICMPv4 redirects feature on the host.
|
||||
Accepting ICMP redirects has few legitimate uses.
|
||||
It should be disabled unless it is absolutely required.
|
||||
|
||||
It is configurable by ``security_disable_icmpv4_redirects`` variable.
|
||||
This feature is disabled by default as it can disrupt ``LXC`` deployments.
|
||||
|
||||
Deployers can skip or enable this task by setting
|
||||
``security_disable_icmpv4_redirects`` to ``no`` or ``yes``, respectively.
|
||||
@ -173,3 +173,15 @@
|
||||
- kernel
|
||||
- cat2
|
||||
- V-38682
|
||||
|
||||
- name: V-38524 - The system must not accept ICMPv4 redirect packets on any interface
|
||||
sysctl:
|
||||
name: net.ipv4.conf.all.accept_redirects
|
||||
value: 0
|
||||
state: present
|
||||
sysctl_set: yes
|
||||
when: security_disable_icmpv4_redirects | bool
|
||||
tags:
|
||||
- kernel
|
||||
- cat2
|
||||
- V-38524
|
||||
|
||||
Loading…
Reference in New Issue
Block a user