sec: block ICMP timestamp requests/replies

71537746 · Jörg Sachse · 33d5b63f · 71537746 · 71537746
Commit 71537746 authored 1 year ago by Jörg Sachse
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -13,7 +13,7 @@
      ansible.builtin.apt:
        name: [
          'iptables-persistent',
-          'netfilter-persistent',
+          'netfilter-persistent',    # required, iptables plugin for netfilter-persistent
        ]
        state: present
      listen: "save iptables rules"

--- a/tasks/configure_iptables.yml
+++ b/tasks/configure_iptables.yml
@@ -117,6 +117,39 @@
    - save iptables rules
 # http://shouldiblockicmp.com
+# OID: 1.3.6.1.4.1.25623.1.0.103190 MITIGATION:
+# - http://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.103190
+# - https://access.redhat.com/solutions/6123331
+#   "Need to disable ICMP type 13 (timestamp requests) and 14 (timestamp
+#    replies) without using firewalld, iptables, or nftables. (...)
+#    At this time there is no method to disable ICMP timestamp requests and
+#    replies in RHEL without using a firewall solution."
+# - https://beyondsecurity.freshdesk.com/support/solutions/articles/44001709477--how-can-i-mitigate-icmp-timestamp-
+#   "Linux offers neither a sysctl nor a /proc/sys/net/ipv4 interface to
+#    disable ICMP timestamp responses. Therefore, you should block ICMP on the
+#    affected host using iptables, and/or block it at the firewall."
+# - The risk is mainly mitigated by using the "DROP" Default Policy for the
+#   INPUT chain in iptables and only allowing specific ICMP packes. However,
+#   to mitigate against misconfigurations of the Default Policy, we now
+#   explicitely DROP these packages.
+# Kudos to @Steidl for building the initial version of this.
+- name: >
+    "mitigate OID: 1.3.6.1.4.1.25623.1.0.103190 'ICMP Timestamp Reply
+     Information Disclosure'"
+  ansible.builtin.iptables:
+    action: "insert"
+    chain: "{{ item.chain | default('INPUT') }}"
+    comment: "{{ item.comment | default(omit) }}"
+    icmp_type: "{{ item.icmp_type | default(omit) }}"
+    jump: "DROP"
+    protocol: "icmp"
+    state: "{{ item.state | default('present') }}"
+    table: "filter"
+  loop: "{{ vault_iptables_icmp | flatten(levels=1) }}"
+  notify:
+    - save iptables rules
 # TODO: Outgoing iptables Regeln erstellen, und bloß keine vergessen!!!
 ## Configure specific rules - Chain OUTPUT