Merge branch 'xingzhou-stig-icmp' into develop

[#98978206]

bosh-stemcell/spec/stemcells/stig_spec.rb

@@ -39,6 +39,10 @@
       V-38526
       V-38529
       V-38582
+      V-38548
+      V-38532
+      V-38600
+      V-38601
     }
 
     expected_stig_test_cases = expected_base_stig_test_cases

bosh-stemcell/spec/support/os_image_linux_kernel_3x_shared_examples.rb

@@ -23,6 +23,22 @@ def kernel_version
       it 'must not accept IPv4 source-routed packets on any interface (stig: V-38523)' do
         should contain /^net.ipv4.conf.all.accept_source_route=0$/
       end
+
+      it 'must ignore ICMPv6 redirects by default (stig: V-38548)' do
+        should contain /^net.ipv6.conf.default.accept_redirects=0$/
+      end
+
+      it 'must not accept ICMPv4 secure redirect packets by default (stig: V-38532)' do
+        should contain /^net.ipv4.conf.default.secure_redirects=0$/
+      end
+
+      it 'must not send ICMPv4 redirects by default (stig: V-38600)' do
+        should contain /^net.ipv4.conf.default.send_redirects=0$/
+      end
+
+      it 'must not send ICMPv4 redirects from any interface. (stig: V-38601)' do
+        should contain /^net.ipv4.conf.all.send_redirects=0$/
+      end
     end
 
     describe file('/etc/sysctl.d/60-bosh-sysctl-neigh-fix.conf') do

stemcell_builder/stages/bosh_sysctl/assets/60-bosh-sysctl.conf

@@ -1,7 +1,14 @@
 # Setup rp_filter in loose mode
-net.ipv4.conf.default.rp_filter=2
+
+net.ipv4.conf.all.accept_redirects=0
+net.ipv4.conf.all.accept_source_route=0
 net.ipv4.conf.all.rp_filter=2
 net.ipv4.conf.all.secure_redirects=0
-net.ipv4.conf.all.accept_redirects=0
+net.ipv4.conf.all.send_redirects=0
+
 net.ipv4.conf.default.accept_source_route=0
-net.ipv4.conf.all.accept_source_route=0
+net.ipv4.conf.default.rp_filter=2
+net.ipv4.conf.default.secure_redirects=0
+net.ipv4.conf.default.send_redirects=0
+
+net.ipv6.conf.default.accept_redirects=0