From 7153774664509f8b8ce5fd801b2b367108194064 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <joerg.sachse@slub-dresden.de>
Date: Tue, 27 Jun 2023 14:44:57 +0200
Subject: [PATCH] sec: block ICMP timestamp requests/replies

---
 handlers/main.yml            |  2 +-
 tasks/configure_iptables.yml | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/handlers/main.yml b/handlers/main.yml
index 1a32359..b6446b4 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -13,7 +13,7 @@
       ansible.builtin.apt:
         name: [
           'iptables-persistent',
-          'netfilter-persistent',
+          'netfilter-persistent',    # required, iptables plugin for netfilter-persistent
         ]
         state: present
       listen: "save iptables rules"
diff --git a/tasks/configure_iptables.yml b/tasks/configure_iptables.yml
index 00b634e..2ecc827 100644
--- a/tasks/configure_iptables.yml
+++ b/tasks/configure_iptables.yml
@@ -117,6 +117,39 @@
     - save iptables rules
 # http://shouldiblockicmp.com
 
+
+# OID: 1.3.6.1.4.1.25623.1.0.103190 MITIGATION:
+# - http://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.103190
+# - https://access.redhat.com/solutions/6123331
+#   "Need to disable ICMP type 13 (timestamp requests) and 14 (timestamp
+#    replies) without using firewalld, iptables, or nftables. (...)
+#    At this time there is no method to disable ICMP timestamp requests and
+#    replies in RHEL without using a firewall solution."
+# - https://beyondsecurity.freshdesk.com/support/solutions/articles/44001709477--how-can-i-mitigate-icmp-timestamp-
+#   "Linux offers neither a sysctl nor a /proc/sys/net/ipv4 interface to
+#    disable ICMP timestamp responses. Therefore, you should block ICMP on the
+#    affected host using iptables, and/or block it at the firewall."
+# - The risk is mainly mitigated by using the "DROP" Default Policy for the
+#   INPUT chain in iptables and only allowing specific ICMP packes. However,
+#   to mitigate against misconfigurations of the Default Policy, we now
+#   explicitely DROP these packages.
+# Kudos to @Steidl for building the initial version of this.
+- name: >
+    "mitigate OID: 1.3.6.1.4.1.25623.1.0.103190 'ICMP Timestamp Reply
+     Information Disclosure'"
+  ansible.builtin.iptables:
+    action: "insert"
+    chain: "{{ item.chain | default('INPUT') }}"
+    comment: "{{ item.comment | default(omit) }}"
+    icmp_type: "{{ item.icmp_type | default(omit) }}"
+    jump: "DROP"
+    protocol: "icmp"
+    state: "{{ item.state | default('present') }}"
+    table: "filter"
+  loop: "{{ vault_iptables_icmp | flatten(levels=1) }}"
+  notify:
+    - save iptables rules
+
 # TODO: Outgoing iptables Regeln erstellen, und bloß keine vergessen!!!
 
 ## Configure specific rules - Chain OUTPUT
-- 
GitLab