Configure Response Mode of ARP Requests for All IPv4 Interfaces

An XCCDF Rule

Description

To set the runtime status of the net.ipv4.conf.all.arp_ignore kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.conf.all.arp_ignore=

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

net.ipv4.conf.all.arp_ignore =

warning alert: Functionality Warning

The ARP response mode may impact behaviour of workloads and firewalls on the system.

Rationale

Avoids ARP Flux on system that have more than one interface on the same subnet.

ID: xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_ignore
Severity: Medium
References: BP28(R12)
Updated: about 1 year ago

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/    - /usr/lib/sysctl.d/
    contains: ^[\s]*net.ipv4.conf.all.arp_ignore.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_arp_ignore

- name: Comment out any occurrences of net.ipv4.conf.all.arp_ignore from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.ipv4.conf.all.arp_ignore
    replace: '#net.ipv4.conf.all.arp_ignore'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_arp_ignore
- name: XCCDF Value sysctl_net_ipv4_conf_all_arp_ignore_value # promote to variable
  set_fact:
    sysctl_net_ipv4_conf_all_arp_ignore_value: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_ignore_value" use="legacy"/>
  tags:
    - always

- name: Ensure sysctl net.ipv4.conf.all.arp_ignore is set
  sysctl:
    name: net.ipv4.conf.all.arp_ignore
    value: '{{ sysctl_net_ipv4_conf_all_arp_ignore_value }}'
    sysctl_file: /etc/sysctl.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_ipv4_conf_all_arp_ignore

Configure Response Mode of ARP Requests for All IPv4 Interfaces

Description

Rationale

Remediation - Ansible