[Docs] Securing sysctl configurations
This patch provides documentation for: https://review.openstack.org/397877 Implements: blueprint security-rhel7-stig Change-Id: I1719ccb5b9818f6477e515cba6b9d1d9b29e2ab4
This commit is contained in:
Major Hayden
@@ -1,7 +1,19 @@
|
||||
---
|
||||
id: RHEL-07-040350
|
||||
status: not implemented
|
||||
tag: misc
|
||||
status: implemented
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
This STIG requirement is not yet implemented.
|
||||
The tasks in this role set ``net.ipv4.conf.all.accept_source_route`` and
|
||||
``net.ipv4.conf.default.accept_source_route`` to ``0`` by default. This
|
||||
prevents the system from forwarding source-routed IPv4 packets on all
|
||||
new and existing interfaces.
|
||||
|
||||
Deployers can opt out of this change by setting the following Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_disallow_source_routed_packet_forward_ipv4: no
|
||||
|
||||
For more details on source routed packets, refer to the
|
||||
`Red Hat documentation <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Server_Security-Disable-Source-Routing.html>`_.
|
||||
|
||||
@@ -1,7 +1,9 @@
|
||||
---
|
||||
id: RHEL-07-040351
|
||||
status: not implemented
|
||||
tag: misc
|
||||
status: implemented
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
This STIG requirement is not yet implemented.
|
||||
This control is implemented by the tasks for another control:
|
||||
|
||||
* :ref:`stig-RHEL-07-040350`
|
||||
|
||||
@@ -1,7 +1,15 @@
|
||||
---
|
||||
id: RHEL-07-040380
|
||||
status: not implemented
|
||||
tag: misc
|
||||
status: implemented
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
This STIG requirement is not yet implemented.
|
||||
The tasks in this role set ``net.ipv4.icmp_echo_ignore_broadcasts`` to ``1``
|
||||
by default. This prevents the system from responding to IPv4 ICMP echoes sent
|
||||
to the broadcast address.
|
||||
|
||||
Deployers can opt out of this change by setting the following Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_disallow_echoes_broadcast_address: no
|
||||
|
||||
@@ -1,7 +1,9 @@
|
||||
---
|
||||
id: RHEL-07-040410
|
||||
status: not implemented
|
||||
tag: misc
|
||||
status: implemented
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
This STIG requirement is not yet implemented.
|
||||
This control is implemented by the tasks for another control:
|
||||
|
||||
* :ref:`stig-RHEL-07-040421`
|
||||
|
||||
@@ -1,7 +1,16 @@
|
||||
---
|
||||
id: RHEL-07-040420
|
||||
status: not implemented
|
||||
tag: misc
|
||||
status: implemented
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
This STIG requirement is not yet implemented.
|
||||
The tasks in this role set ``net.ipv4.conf.default.send_redirects`` and
|
||||
``net.ipv4.conf.all.send_redirects`` to ``0`` by default. This prevents a
|
||||
system from sending IPv4 ICMP redirect packets on all new and existing
|
||||
interfaces.
|
||||
|
||||
Deployers can opt out of this change by setting the following Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_disallow_icmp_redirects: no
|
||||
|
||||
@@ -1,7 +1,9 @@
|
||||
---
|
||||
id: RHEL-07-040421
|
||||
status: not implemented
|
||||
tag: misc
|
||||
status: implemented
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
This STIG requirement is not yet implemented.
|
||||
This control is implemented by the tasks for another control:
|
||||
|
||||
* :ref:`stig-RHEL-07-040420`
|
||||
|
||||
@@ -1,7 +1,22 @@
|
||||
---
|
||||
id: RHEL-07-040730
|
||||
status: not implemented
|
||||
tag: misc
|
||||
status: opt-in
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
This STIG requirement is not yet implemented.
|
||||
Disabling IP forwarding on a system that routes packets or host virtual
|
||||
machines might cause network interruptions. The tasks in this role do not
|
||||
adjust the ``net.ipv4.ip_forward`` configuration by default.
|
||||
|
||||
Deployers can opt in for this change and disable IP forwarding by setting the
|
||||
following Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_disallow_ip_forwarding: yes
|
||||
|
||||
.. warning::
|
||||
|
||||
IP forwarding is required in some environments. Always test in a
|
||||
non-production environment before changing this setting on a production
|
||||
system.
|
||||
|
||||
@@ -1,7 +1,18 @@
|
||||
---
|
||||
id: RHEL-07-040860
|
||||
status: not implemented
|
||||
tag: misc
|
||||
status: implemented
|
||||
tag: kernel
|
||||
---
|
||||
|
||||
This STIG requirement is not yet implemented.
|
||||
The tasks in this role set ``net.ipv6.conf.all.accept_source_route`` to ``0``
|
||||
by default. This prevents the system from forwarding source-routed IPv6
|
||||
packets.
|
||||
|
||||
Deployers can opt out of this change by setting the following Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_disallow_source_routed_packet_forward_ipv6: no
|
||||
|
||||
Refer to `"IPv6 source routing: history repeats itself" <https://lwn.net/Articles/232781/>`_
|
||||
for more details on IPv6 source routed packets.
|
||||
|
||||
Reference in New Issue
Block a user