Misconfigured Setting - RHEL-08-040279 - RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.

Question

Misconfigured Setting - RHEL-08-040279 - RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.

platymatt opened this issue 8 months ago · 2 comments

Describe the Issue
The control V-244553 expects net.ipv4.conf.all.accept_redirects = 0 to be set in the /etc/sysctl.d/ directory.

And the task here for V-244553 instead sets net.ipv4.conf.all.send_redirects which I believe to be a typo as the previous two tasks in the block look for net.ipv4.conf.all.accept_redirects = [^0] so the third task should set net.ipv4.conf.all.accept_redirects = 0.

When the actual time to set send_redirects setting is actually set here in the V-230536 group of tasks.

Expected Behavior
I expect net.ipv4.conf.all.accept_redirects = 0 to be set in the rhel8stig_sysctl_file

Actual Behavior
net.ipv4.conf.all.accept_redirects = 0 is not set in the /etc/sysctl.d/ directory as it is never configured via a task.

Control(s) Affected
What controls are being affected by the issue:
V-244553 RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.

Environment (please complete the following information):

branch being used: devel

commit 1640945183014c6a31d9c1d4359fb3d77d542dc8 (HEAD -> devel, origin/devel, origin/HEAD)
Merge: f845492 52fb839
Author: uk-bolly <mark.bollyuk@gmail.com>
Date:   Mon Dec 11 14:05:08 2023 +0000

    Merge pull request #238 from ansible-lockdown/pre-commit-ci-update-config

    [pre-commit.ci] pre-commit autoupdate

Ansible Version:

[python@a501c5dc1d55 work]$ ansible --version
ansible [core 2.14.10]
  config file = None
  configured module search path = ['/home/python/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/python/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.9.16 (main, Mar  8 2023, 03:23:31) [GCC 8.5.0 20210514 (Red Hat 8.5.0-16)] (/usr/local/bin/python3.9)
  jinja version = 3.1.2
  libyaml = True

Host Python Version: 3.9.18-1
Additional Details:

Additional Notes
None

Possible Solution
Update the task to use the proper configuration: net.ipv4.conf.all.accept_redirects = 0

Answer 1 · 2024-04-09T15:13:22.000Z

hi @platymatt

Thank you for your patience on this issue, with so many moving parts its taken longer than we'd hope. I hopefully have now addressed this issue for the icmp redirects typo.
I have created a new branch April_24, which i am hoping to merge into devel soon. If you could possibly confirm this works as you expect?

Many thanks

uk-bolly

Answer 2 · 2024-04-26T18:30:25.000Z

This works for me and you can close the issue. Thanks for updating!