-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Misconfigured Setting - RHEL-08-040279 - RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. #263
Comments
hi @platymatt Thank you for your patience on this issue, with so many moving parts its taken longer than we'd hope. I hopefully have now addressed this issue for the icmp redirects typo. Many thanks uk-bolly |
This works for me and you can close the issue. Thanks for updating! |
* ruleid updates for v1r12 refer changelog Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated PRELIM in title Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated the workflow version and galaxy setup Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix typo Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Oraclelinux updated thanks to @BillSkiCO Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated task 20030 thanks to @BillSkiCO Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated 40321 thanks to @whitehat237 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated after feedback from #245 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added issue #248 fix Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Added fix for #254 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix syntax Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Squashed commit of the following: commit 14d7da6a3335dea85d73044cac45f851d45e721f Author: Mark Bolwell <mark.bollyuk@gmail.com> Date: Wed Feb 21 15:52:45 2024 +0000 updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> commit e6b8a7c2008da9cf11075265801723c597284d6e Author: Mark Bolwell <mark.bollyuk@gmail.com> Date: Wed Feb 21 15:52:05 2024 +0000 lint and variable improvements Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> commit 79948fb314df745bc37f94dffcdf6ec818d945bc Author: Mark Bolwell <mark.bollyuk@gmail.com> Date: Wed Feb 21 15:51:32 2024 +0000 ssh validation added Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> commit 4742d58286387ffdbf569c2094d34290c8f2f90a Author: Mark Bolwell <mark.bollyuk@gmail.com> Date: Wed Feb 21 15:50:46 2024 +0000 ssh validation added Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> commit 33348bc1d3a0537d0cdbcfc70c10286875d97261 Author: Mark Bolwell <mark.bollyuk@gmail.com> Date: Wed Feb 21 15:50:25 2024 +0000 changed ordering and added logic Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> commit 6c2d07987d379575c6ecf766e528da19ba5ffae0 Author: Mark Bolwell <mark.bollyuk@gmail.com> Date: Wed Feb 21 15:50:12 2024 +0000 removed as mnot required Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> commit 1d775c698c9270f707dddbd955d096bfaa978dae Author: Mark Bolwell <mark.bollyuk@gmail.com> Date: Wed Feb 21 15:50:04 2024 +0000 updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> commit 562d7604e5263ed4d5cd97cdd2a46ea4a1c3f58f Author: Mark Bolwell <mark.bollyuk@gmail.com> Date: Wed Feb 21 15:49:57 2024 +0000 updated precommit Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> commit bb46131304f00cfe9c9b7b62dda9150ab5d19643 Author: Mark Bolwell <mark.bollyuk@gmail.com> Date: Wed Feb 21 12:04:15 2024 +0000 Added ability for audit_only Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix typo line 020030 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated due to galaxy_ng changes Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Revert "fixed gnutls as per issue 196 thansk to @jmalpede" This reverts commit 63c4c84. Signed-off-by: William Panlener <wpanlener@gmail.com> * Update main.yml Removing stale var rhel8stig_sshd_compression Signed-off-by: William Golembieski <william@armoryanalytics.com> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/pre-commit/pre-commit-hooks: v4.4.0 → v4.5.0](pre-commit/pre-commit-hooks@v4.4.0...v4.5.0) - [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](gitleaks/gitleaks@v8.18.0...v8.18.1) - [github.com/ansible-community/ansible-lint: v6.20.2 → v6.22.1](ansible/ansible-lint@v6.20.2...v6.22.1) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0) * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/gitleaks/gitleaks: v8.18.1 → v8.18.2](gitleaks/gitleaks@v8.18.1...v8.18.2) - [github.com/ansible-community/ansible-lint: v6.22.1 → v24.2.0](ansible/ansible-lint@v6.22.1...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.33.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.33.0...v1.35.1) * updated Readme credits Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated credits Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/ansible-community/ansible-lint: v24.2.0 → v24.2.1](ansible/ansible-lint@v24.2.0...v24.2.1) * Updated RHEL-08-020050 to loop over stdout_lines. Fixes issue #261. Signed-off-by: Phenix66 <34311559+Phenix66@users.noreply.github.com> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](pre-commit/pre-commit-hooks@v4.5.0...v4.6.0) * addressing #251 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix issue #263 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Address issues #242 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * housekeeping lint Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Meet fix text of V-244546 Signed-off-by: Eric Lehmann <katyl@katyl.info> * issue #267 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/ansible-community/ansible-lint: v24.2.1 → v24.2.2](ansible/ansible-lint@v24.2.1...v24.2.2) * fixed error in conditional rhel-08-020022 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> Signed-off-by: William Panlener <wpanlener@gmail.com> Signed-off-by: William Golembieski <william@armoryanalytics.com> Signed-off-by: uk-bolly <mark.bollyuk@gmail.com> Signed-off-by: Phenix66 <34311559+Phenix66@users.noreply.github.com> Signed-off-by: Eric Lehmann <katyl@katyl.info> Co-authored-by: William Panlener <wpanlener@gmail.com> Co-authored-by: William Golembieski <william@armoryanalytics.com> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Phenix66 <34311559+Phenix66@users.noreply.github.com> Co-authored-by: Eric Lehmann <katyl@katyl.info>
Describe the Issue
The control V-244553 expects
net.ipv4.conf.all.accept_redirects = 0
to be set in the /etc/sysctl.d/ directory.And the task here for V-244553 instead sets
net.ipv4.conf.all.send_redirects
which I believe to be a typo as the previous two tasks in the block look fornet.ipv4.conf.all.accept_redirects = [^0]
so the third task should setnet.ipv4.conf.all.accept_redirects = 0
.When the actual time to set
send_redirects
setting is actually set here in the V-230536 group of tasks.Expected Behavior
I expect
net.ipv4.conf.all.accept_redirects = 0
to be set in therhel8stig_sysctl_file
Actual Behavior
net.ipv4.conf.all.accept_redirects = 0
is not set in the /etc/sysctl.d/ directory as it is never configured via a task.Control(s) Affected
What controls are being affected by the issue:
V-244553 RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
Environment (please complete the following information):
Additional Notes
None
Possible Solution
Update the task to use the proper configuration:
net.ipv4.conf.all.accept_redirects = 0
The text was updated successfully, but these errors were encountered: