Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Misconfigured Setting - RHEL-08-040279 - RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. #263

Closed
platymatt opened this issue Mar 25, 2024 · 2 comments
Assignees
Labels
bug Something isn't working

Comments

@platymatt
Copy link

platymatt commented Mar 25, 2024

Describe the Issue
The control V-244553 expects net.ipv4.conf.all.accept_redirects = 0 to be set in the /etc/sysctl.d/ directory.

And the task here for V-244553 instead sets net.ipv4.conf.all.send_redirects which I believe to be a typo as the previous two tasks in the block look for net.ipv4.conf.all.accept_redirects = [^0] so the third task should set net.ipv4.conf.all.accept_redirects = 0.

When the actual time to set send_redirects setting is actually set here in the V-230536 group of tasks.

Expected Behavior
I expect net.ipv4.conf.all.accept_redirects = 0 to be set in the rhel8stig_sysctl_file

Actual Behavior
net.ipv4.conf.all.accept_redirects = 0 is not set in the /etc/sysctl.d/ directory as it is never configured via a task.

Control(s) Affected
What controls are being affected by the issue:
V-244553 RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.

Environment (please complete the following information):

  • branch being used: devel
commit 1640945183014c6a31d9c1d4359fb3d77d542dc8 (HEAD -> devel, origin/devel, origin/HEAD)
Merge: f845492 52fb839
Author: uk-bolly <[email protected]>
Date:   Mon Dec 11 14:05:08 2023 +0000

    Merge pull request #238 from ansible-lockdown/pre-commit-ci-update-config

    [pre-commit.ci] pre-commit autoupdate
  • Ansible Version:
[python@a501c5dc1d55 work]$ ansible --version
ansible [core 2.14.10]
  config file = None
  configured module search path = ['/home/python/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/python/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.9.16 (main, Mar  8 2023, 03:23:31) [GCC 8.5.0 20210514 (Red Hat 8.5.0-16)] (/usr/local/bin/python3.9)
  jinja version = 3.1.2
  libyaml = True
  • Host Python Version: 3.9.18-1
  • Additional Details:

Additional Notes
None

Possible Solution
Update the task to use the proper configuration: net.ipv4.conf.all.accept_redirects = 0

@platymatt platymatt added the bug Something isn't working label Mar 25, 2024
@uk-bolly uk-bolly self-assigned this Apr 9, 2024
uk-bolly added a commit that referenced this issue Apr 9, 2024
Signed-off-by: Mark Bolwell <[email protected]>
@uk-bolly
Copy link
Member

uk-bolly commented Apr 9, 2024

hi @platymatt

Thank you for your patience on this issue, with so many moving parts its taken longer than we'd hope. I hopefully have now addressed this issue for the icmp redirects typo.
I have created a new branch April_24, which i am hoping to merge into devel soon. If you could possibly confirm this works as you expect?

Many thanks

uk-bolly

@platymatt
Copy link
Author

This works for me and you can close the issue. Thanks for updating!

uk-bolly added a commit that referenced this issue Apr 30, 2024
* ruleid updates for v1r12 refer changelog

Signed-off-by: Mark Bolwell <[email protected]>

* updated

Signed-off-by: Mark Bolwell <[email protected]>

* updated PRELIM in title

Signed-off-by: Mark Bolwell <[email protected]>

* updated the workflow version and galaxy setup

Signed-off-by: Mark Bolwell <[email protected]>

* fix typo

Signed-off-by: Mark Bolwell <[email protected]>

* Oraclelinux updated thanks to @BillSkiCO

Signed-off-by: Mark Bolwell <[email protected]>

* updated task 20030 thanks to @BillSkiCO

Signed-off-by: Mark Bolwell <[email protected]>

* updated 40321 thanks to @whitehat237

Signed-off-by: Mark Bolwell <[email protected]>

* updated after feedback from #245

Signed-off-by: Mark Bolwell <[email protected]>

* added issue #248 fix

Signed-off-by: Mark Bolwell <[email protected]>

* Added fix for #254

Signed-off-by: Mark Bolwell <[email protected]>

* fix syntax

Signed-off-by: Mark Bolwell <[email protected]>

* Squashed commit of the following:

commit 14d7da6a3335dea85d73044cac45f851d45e721f
Author: Mark Bolwell <[email protected]>
Date:   Wed Feb 21 15:52:45 2024 +0000

    updated

    Signed-off-by: Mark Bolwell <[email protected]>

commit e6b8a7c2008da9cf11075265801723c597284d6e
Author: Mark Bolwell <[email protected]>
Date:   Wed Feb 21 15:52:05 2024 +0000

    lint and variable improvements

    Signed-off-by: Mark Bolwell <[email protected]>

commit 79948fb314df745bc37f94dffcdf6ec818d945bc
Author: Mark Bolwell <[email protected]>
Date:   Wed Feb 21 15:51:32 2024 +0000

    ssh validation added

    Signed-off-by: Mark Bolwell <[email protected]>

commit 4742d58286387ffdbf569c2094d34290c8f2f90a
Author: Mark Bolwell <[email protected]>
Date:   Wed Feb 21 15:50:46 2024 +0000

    ssh validation added

    Signed-off-by: Mark Bolwell <[email protected]>

commit 33348bc1d3a0537d0cdbcfc70c10286875d97261
Author: Mark Bolwell <[email protected]>
Date:   Wed Feb 21 15:50:25 2024 +0000

    changed ordering and added logic

    Signed-off-by: Mark Bolwell <[email protected]>

commit 6c2d07987d379575c6ecf766e528da19ba5ffae0
Author: Mark Bolwell <[email protected]>
Date:   Wed Feb 21 15:50:12 2024 +0000

    removed as mnot required

    Signed-off-by: Mark Bolwell <[email protected]>

commit 1d775c698c9270f707dddbd955d096bfaa978dae
Author: Mark Bolwell <[email protected]>
Date:   Wed Feb 21 15:50:04 2024 +0000

    updated

    Signed-off-by: Mark Bolwell <[email protected]>

commit 562d7604e5263ed4d5cd97cdd2a46ea4a1c3f58f
Author: Mark Bolwell <[email protected]>
Date:   Wed Feb 21 15:49:57 2024 +0000

    updated precommit

    Signed-off-by: Mark Bolwell <[email protected]>

commit bb46131304f00cfe9c9b7b62dda9150ab5d19643
Author: Mark Bolwell <[email protected]>
Date:   Wed Feb 21 12:04:15 2024 +0000

    Added ability for audit_only

    Signed-off-by: Mark Bolwell <[email protected]>

Signed-off-by: Mark Bolwell <[email protected]>

* fix typo line 020030

Signed-off-by: Mark Bolwell <[email protected]>

* updated due to galaxy_ng changes

Signed-off-by: Mark Bolwell <[email protected]>

* Revert "fixed gnutls as per issue 196 thansk to @jmalpede"

This reverts commit 63c4c84.

Signed-off-by: William Panlener <[email protected]>

* Update main.yml

Removing stale var rhel8stig_sshd_compression

Signed-off-by: William Golembieski <[email protected]>

* [pre-commit.ci] pre-commit autoupdate

updates:
- [github.com/pre-commit/pre-commit-hooks: v4.4.0 → v4.5.0](pre-commit/pre-commit-hooks@v4.4.0...v4.5.0)
- [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](gitleaks/gitleaks@v8.18.0...v8.18.1)
- [github.com/ansible-community/ansible-lint: v6.20.2 → v6.22.1](ansible/ansible-lint@v6.20.2...v6.22.1)
- [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0)

* [pre-commit.ci] pre-commit autoupdate

updates:
- [github.com/gitleaks/gitleaks: v8.18.1 → v8.18.2](gitleaks/gitleaks@v8.18.1...v8.18.2)
- [github.com/ansible-community/ansible-lint: v6.22.1 → v24.2.0](ansible/ansible-lint@v6.22.1...v24.2.0)
- [github.com/adrienverge/yamllint.git: v1.33.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.33.0...v1.35.1)

* updated Readme credits

Signed-off-by: Mark Bolwell <[email protected]>

* updated credits

Signed-off-by: Mark Bolwell <[email protected]>

* [pre-commit.ci] pre-commit autoupdate

updates:
- [github.com/ansible-community/ansible-lint: v24.2.0 → v24.2.1](ansible/ansible-lint@v24.2.0...v24.2.1)

* Updated RHEL-08-020050 to loop over stdout_lines. Fixes issue #261.

Signed-off-by: Phenix66 <[email protected]>

* [pre-commit.ci] pre-commit autoupdate

updates:
- [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](pre-commit/pre-commit-hooks@v4.5.0...v4.6.0)

* addressing #251

Signed-off-by: Mark Bolwell <[email protected]>

* fix issue #263

Signed-off-by: Mark Bolwell <[email protected]>

* Address issues #242

Signed-off-by: Mark Bolwell <[email protected]>

* housekeeping lint

Signed-off-by: Mark Bolwell <[email protected]>

* Meet fix text of V-244546

Signed-off-by: Eric Lehmann <[email protected]>

* issue #267

Signed-off-by: Mark Bolwell <[email protected]>

* [pre-commit.ci] pre-commit autoupdate

updates:
- [github.com/ansible-community/ansible-lint: v24.2.1 → v24.2.2](ansible/ansible-lint@v24.2.1...v24.2.2)

* fixed error in conditional rhel-08-020022

Signed-off-by: Mark Bolwell <[email protected]>

---------

Signed-off-by: Mark Bolwell <[email protected]>
Signed-off-by: William Panlener <[email protected]>
Signed-off-by: William Golembieski <[email protected]>
Signed-off-by: uk-bolly <[email protected]>
Signed-off-by: Phenix66 <[email protected]>
Signed-off-by: Eric Lehmann <[email protected]>
Co-authored-by: William Panlener <[email protected]>
Co-authored-by: William Golembieski <[email protected]>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Phenix66 <[email protected]>
Co-authored-by: Eric Lehmann <[email protected]>
uk-bolly added a commit that referenced this issue May 24, 2024
Signed-off-by: Mark Bolwell <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants