diff --git a/handlers/main.yml b/handlers/main.yml index 1a3235974946af84cdeba8b02e1edf325dd912d5..b6446b435ae503b09aff9a395dbbb13368135b5a 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -13,7 +13,7 @@ ansible.builtin.apt: name: [ 'iptables-persistent', - 'netfilter-persistent', + 'netfilter-persistent', # required, iptables plugin for netfilter-persistent ] state: present listen: "save iptables rules" diff --git a/tasks/configure_iptables.yml b/tasks/configure_iptables.yml index 00b634e368c70212f01b31a681716e049fb637e3..2ecc827db8f080c33604d911022ce75decdd5e0b 100644 --- a/tasks/configure_iptables.yml +++ b/tasks/configure_iptables.yml @@ -117,6 +117,39 @@ - save iptables rules # http://shouldiblockicmp.com + +# OID: 1.3.6.1.4.1.25623.1.0.103190 MITIGATION: +# - http://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.103190 +# - https://access.redhat.com/solutions/6123331 +# "Need to disable ICMP type 13 (timestamp requests) and 14 (timestamp +# replies) without using firewalld, iptables, or nftables. (...) +# At this time there is no method to disable ICMP timestamp requests and +# replies in RHEL without using a firewall solution." +# - https://beyondsecurity.freshdesk.com/support/solutions/articles/44001709477--how-can-i-mitigate-icmp-timestamp- +# "Linux offers neither a sysctl nor a /proc/sys/net/ipv4 interface to +# disable ICMP timestamp responses. Therefore, you should block ICMP on the +# affected host using iptables, and/or block it at the firewall." +# - The risk is mainly mitigated by using the "DROP" Default Policy for the +# INPUT chain in iptables and only allowing specific ICMP packes. However, +# to mitigate against misconfigurations of the Default Policy, we now +# explicitely DROP these packages. +# Kudos to @Steidl for building the initial version of this. +- name: > + "mitigate OID: 1.3.6.1.4.1.25623.1.0.103190 'ICMP Timestamp Reply + Information Disclosure'" + ansible.builtin.iptables: + action: "insert" + chain: "{{ item.chain | default('INPUT') }}" + comment: "{{ item.comment | default(omit) }}" + icmp_type: "{{ item.icmp_type | default(omit) }}" + jump: "DROP" + protocol: "icmp" + state: "{{ item.state | default('present') }}" + table: "filter" + loop: "{{ vault_iptables_icmp | flatten(levels=1) }}" + notify: + - save iptables rules + # TODO: Outgoing iptables Regeln erstellen, und bloß keine vergessen!!! ## Configure specific rules - Chain OUTPUT