Merge "Implemented: V-38524."

defaults/main.yml

@@ -209,6 +209,7 @@ security_disable_module_rds: yes                  # V-38516
 security_disable_module_sctp: yes                 # V-38515
 security_disable_module_tipc: yes                 # V-38517
 security_disable_module_usb_storage: no           # V-38490
+security_disable_icmpv4_redirects: no             # V-38524
 #
 # ** DANGER **
 # It's strongly recommended to fully understand the effects of changing the

doc/source/developer-notes/V-38524.rst

@@ -1 +0,0 @@
-V-38523.rst

doc/source/developer-notes/V-38524.rst

@@ -0,0 +1,9 @@
+This patch disables ICMPv4 redirects feature on the host.
+Accepting ICMP redirects has few legitimate uses.
+It should be disabled unless it is absolutely required.
+
+It is configurable by ``security_disable_icmpv4_redirects`` variable.
+This feature is disabled by default as it can disrupt ``LXC`` deployments.
+
+Deployers can skip or enable this task by setting
+``security_disable_icmpv4_redirects`` to ``no``  or ``yes``,  respectively.

tasks/kernel.yml

@@ -173,3 +173,15 @@
     - kernel
     - cat2
     - V-38682
+
+- name: V-38524 - The system must not accept ICMPv4 redirect packets on any interface
+  sysctl:
+    name: net.ipv4.conf.all.accept_redirects
+    value: 0
+    state: present
+    sysctl_set: yes
+  when: security_disable_icmpv4_redirects | bool
+  tags:
+    - kernel
+    - cat2
+    - V-38524