ICMP Redirects vulnerability remediation

[dkeirns]

added a group of tasks to disable ICMP redirects and included the file in main.yml

[cloudnull]

nit

Suggested change

	with_items:
	- {regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects = 0'}
	- {regexp: '^net.ipv4.conf.default.accept_redirects', line: 'net.ipv4.conf.default.accept_redirects = 0'}
	- {regexp: '^net.ipv4.conf.all.secure_redirects', line: 'net.ipv4.conf.all.secure_redirects = 0'}
	- {regexp: '^net.ipv4.conf.default.secure_redirects', line: 'net.ipv4.conf.default.secure_redirects = 0'}
	loop:
	- regexp: '^net.ipv4.conf.all.accept_redirects'
	line: 'net.ipv4.conf.all.accept_redirects = 0'
	- regexp: '^net.ipv4.conf.default.accept_redirects'
	line: 'net.ipv4.conf.default.accept_redirects = 0'
	- regexp: '^net.ipv4.conf.all.secure_redirects'
	line: 'net.ipv4.conf.all.secure_redirects = 0'
	- regexp: '^net.ipv4.conf.default.secure_redirects'
	line: 'net.ipv4.conf.default.secure_redirects = 0'

[cloudnull]

However, with the previous use of the ansible.posix.sysctl with sysctl_set these options should already be persistent on the system meaning this task would not be needed. Thoughts?

[dkeirns]

loop with the separated regexp: and line are easier to read. I'd be happy to test it and update. As for sysctl_set, my understanding from the documentation is that it is the equivalent of sysctl -w which does not appear to write the configuration line to /etc/sysctl.conf. Therefore to ensure the lines were written to the config file, I have been updating the file as well.

[cloudnull]

the module will set the valures in the default sysctl file, unless specifically disabled. https://docs.ansible.com/projects/ansible/latest/collections/ansible/posix/sysctl_module.html#parameter-sysctl_file