From be477fc298b840c3a2c49998843a0ba4b15d490f Mon Sep 17 00:00:00 2001 From: dkeirns Date: Tue, 9 Dec 2025 15:12:51 -0600 Subject: [PATCH 1/6] ICMP Redirects vulnerability remediation added a group of tasks to disable ICMP redirects and included the file in main.yml --- .../tasks/disable_icmp_redirect.yml | 58 +++++++++++++++++++ ansible/roles/host_setup/tasks/main.yml | 3 + 2 files changed, 61 insertions(+) create mode 100644 ansible/roles/host_setup/tasks/disable_icmp_redirect.yml diff --git a/ansible/roles/host_setup/tasks/disable_icmp_redirect.yml b/ansible/roles/host_setup/tasks/disable_icmp_redirect.yml new file mode 100644 index 000000000..5f84fc282 --- /dev/null +++ b/ansible/roles/host_setup/tasks/disable_icmp_redirect.yml @@ -0,0 +1,58 @@ +--- +# Copyright 2024, Rackspace Technology, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Set net.ipv4.conf.all.accept_redirects to 0 + ansible.posix.sysctl: + name: net.ipv4.conf.all.accept_redirects + value: 0 + sysctl_set: yes + become: yes + +- name: Set net.ipv4.conf.default.accept_redirects to 0 + ansible.posix.sysctl: + name: net.ipv4.conf.default.accept_redirects + value: 0 + sysctl_set: yes + become: yes + +- name: Set net.ipv4.conf.all.secure_redirects to 0 + ansible.posix.sysctl: + name: net.ipv4.conf.all.secure_redirects + value: 0 + sysctl_set: yes + become: yes + +- name: Set net.ipv4.conf.default.secure_redirects to 0 + ansible.posix.sysctl: + name: net.ipv4.conf.default.secure_redirects + value: 0 + sysctl_set: yes + become: yes + +- name: Update /etc/sysctl.conf + ansible.builtin.lineinfile: + path: /etc/sysctl.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + with_items: + - { regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects = 0' } + - { regexp: '^net.ipv4.conf.default.accept_redirects', line: 'net.ipv4.conf.default.accept_redirects = 0' } + - { regexp: '^net.ipv4.conf.all.secure_redirects', line: 'net.ipv4.conf.all.secure_redirects = 0' } + - { regexp: '^net.ipv4.conf.default.secure_redirects', line: 'net.ipv4.conf.default.secure_redirects = 0' } + +- name: Apply changes to /etc/sysctl.conf + ansible.builtin.command: sysctl -p /etc/sysctl.conf + become: yes \ No newline at end of file diff --git a/ansible/roles/host_setup/tasks/main.yml b/ansible/roles/host_setup/tasks/main.yml index 544c07c3c..36a77c004 100644 --- a/ansible/roles/host_setup/tasks/main.yml +++ b/ansible/roles/host_setup/tasks/main.yml @@ -170,3 +170,6 @@ - name: Install RAID controller CLI tools ansible.builtin.include_tasks: raid_cli_tools.yml + +-name: Disable ICMP Redirects + ansible.builtin.include_tasks: disable_icmp_redirect.yml From 110abeea2892d3dff60a08b50d4f0cc73a1fc205 Mon Sep 17 00:00:00 2001 From: dkeirns Date: Tue, 9 Dec 2025 15:56:47 -0600 Subject: [PATCH 2/6] fixed missing space character --- ansible/roles/host_setup/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/host_setup/tasks/main.yml b/ansible/roles/host_setup/tasks/main.yml index 36a77c004..6a0912c7d 100644 --- a/ansible/roles/host_setup/tasks/main.yml +++ b/ansible/roles/host_setup/tasks/main.yml @@ -171,5 +171,5 @@ - name: Install RAID controller CLI tools ansible.builtin.include_tasks: raid_cli_tools.yml --name: Disable ICMP Redirects +- name: Disable ICMP Redirects ansible.builtin.include_tasks: disable_icmp_redirect.yml From 738a7e38ab2a84d9087e2e6af4cfa0800f2e6277 Mon Sep 17 00:00:00 2001 From: dkeirns Date: Tue, 9 Dec 2025 16:10:15 -0600 Subject: [PATCH 3/6] fix yes/true setting --- .../host_setup/tasks/disable_icmp_redirect.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/ansible/roles/host_setup/tasks/disable_icmp_redirect.yml b/ansible/roles/host_setup/tasks/disable_icmp_redirect.yml index 5f84fc282..0063b9ed8 100644 --- a/ansible/roles/host_setup/tasks/disable_icmp_redirect.yml +++ b/ansible/roles/host_setup/tasks/disable_icmp_redirect.yml @@ -17,29 +17,29 @@ ansible.posix.sysctl: name: net.ipv4.conf.all.accept_redirects value: 0 - sysctl_set: yes - become: yes + sysctl_set: true + become: true - name: Set net.ipv4.conf.default.accept_redirects to 0 ansible.posix.sysctl: name: net.ipv4.conf.default.accept_redirects value: 0 - sysctl_set: yes - become: yes + sysctl_set: true + become: true - name: Set net.ipv4.conf.all.secure_redirects to 0 ansible.posix.sysctl: name: net.ipv4.conf.all.secure_redirects value: 0 - sysctl_set: yes - become: yes + sysctl_set: true + become: true - name: Set net.ipv4.conf.default.secure_redirects to 0 ansible.posix.sysctl: name: net.ipv4.conf.default.secure_redirects value: 0 - sysctl_set: yes - become: yes + sysctl_set: true + become: true - name: Update /etc/sysctl.conf ansible.builtin.lineinfile: @@ -55,4 +55,4 @@ - name: Apply changes to /etc/sysctl.conf ansible.builtin.command: sysctl -p /etc/sysctl.conf - become: yes \ No newline at end of file + become: true \ No newline at end of file From ffb4c25d9fa3d2c5bc1cb786a4d585b3cc708b69 Mon Sep 17 00:00:00 2001 From: dkeirns Date: Tue, 9 Dec 2025 16:21:01 -0600 Subject: [PATCH 4/6] additional spacing fixes removed extra spaces in the {regex...} added end of file line feed --- .../roles/host_setup/tasks/disable_icmp_redirect.yml | 11 ++++++----- ansible/roles/host_setup/tasks/main.yml | 1 + 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/ansible/roles/host_setup/tasks/disable_icmp_redirect.yml b/ansible/roles/host_setup/tasks/disable_icmp_redirect.yml index 0063b9ed8..7bfa0f823 100644 --- a/ansible/roles/host_setup/tasks/disable_icmp_redirect.yml +++ b/ansible/roles/host_setup/tasks/disable_icmp_redirect.yml @@ -48,11 +48,12 @@ line: "{{ item.line }}" state: present with_items: - - { regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects = 0' } - - { regexp: '^net.ipv4.conf.default.accept_redirects', line: 'net.ipv4.conf.default.accept_redirects = 0' } - - { regexp: '^net.ipv4.conf.all.secure_redirects', line: 'net.ipv4.conf.all.secure_redirects = 0' } - - { regexp: '^net.ipv4.conf.default.secure_redirects', line: 'net.ipv4.conf.default.secure_redirects = 0' } + - {regexp: '^net.ipv4.conf.all.accept_redirects', line: 'net.ipv4.conf.all.accept_redirects = 0'} + - {regexp: '^net.ipv4.conf.default.accept_redirects', line: 'net.ipv4.conf.default.accept_redirects = 0'} + - {regexp: '^net.ipv4.conf.all.secure_redirects', line: 'net.ipv4.conf.all.secure_redirects = 0'} + - {regexp: '^net.ipv4.conf.default.secure_redirects', line: 'net.ipv4.conf.default.secure_redirects = 0'} - name: Apply changes to /etc/sysctl.conf ansible.builtin.command: sysctl -p /etc/sysctl.conf - become: true \ No newline at end of file + become: true + diff --git a/ansible/roles/host_setup/tasks/main.yml b/ansible/roles/host_setup/tasks/main.yml index 6a0912c7d..990d93494 100644 --- a/ansible/roles/host_setup/tasks/main.yml +++ b/ansible/roles/host_setup/tasks/main.yml @@ -173,3 +173,4 @@ - name: Disable ICMP Redirects ansible.builtin.include_tasks: disable_icmp_redirect.yml + From 10df5e7407a75a56e192c66c60a5fd8e16161912 Mon Sep 17 00:00:00 2001 From: dkeirns Date: Tue, 9 Dec 2025 16:27:09 -0600 Subject: [PATCH 5/6] fixed trailing spaces --- ansible/roles/host_setup/tasks/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ansible/roles/host_setup/tasks/main.yml b/ansible/roles/host_setup/tasks/main.yml index 990d93494..0c17d9988 100644 --- a/ansible/roles/host_setup/tasks/main.yml +++ b/ansible/roles/host_setup/tasks/main.yml @@ -170,7 +170,6 @@ - name: Install RAID controller CLI tools ansible.builtin.include_tasks: raid_cli_tools.yml - + - name: Disable ICMP Redirects ansible.builtin.include_tasks: disable_icmp_redirect.yml - From 221494904c70ba897bd72a3024518dbbdb047a89 Mon Sep 17 00:00:00 2001 From: dkeirns Date: Tue, 9 Dec 2025 16:32:46 -0600 Subject: [PATCH 6/6] removing an extra blank line at eof --- ansible/roles/host_setup/tasks/disable_icmp_redirect.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/ansible/roles/host_setup/tasks/disable_icmp_redirect.yml b/ansible/roles/host_setup/tasks/disable_icmp_redirect.yml index 7bfa0f823..1a0e89987 100644 --- a/ansible/roles/host_setup/tasks/disable_icmp_redirect.yml +++ b/ansible/roles/host_setup/tasks/disable_icmp_redirect.yml @@ -56,4 +56,3 @@ - name: Apply changes to /etc/sysctl.conf ansible.builtin.command: sysctl -p /etc/sysctl.conf become: true -