Securing sysctl configurations

This patch adds tasks to secure various network-related settings via sysctl. Documentation will be in a follow-on patch. Controls implemented: - RHEL-07-040350 - RHEL-07-040351 - RHEL-07-040380 - RHEL-07-040410 - RHEL-07-040420 - RHEL-07-040421 - RHEL-07-040730 - RHEL-07-040860 Implements: blueprint security-rhel7-stig Change-Id: I35f82165ccb2ea0e17ea32030968b7f33b1a073a
2016-11-16 09:58:17 -06:00
parent 3c0cc41969
commit 746816cc96
5 changed files with 89 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -495,3 +495,16 @@ security_sshd_enable_privilege_separation: yes               # RHEL-07-040690
 security_sshd_enable_strict_modes: yes                       # RHEL-07-040680
 # Disallow Kerberos authentication.
 security_sshd_disable_kerberos_auth: yes                     # RHEL-07-040670
+
+## sysctl settings (kernel)
+# Disallow forwarding IPv4/IPv6 source routed packets on all interfaces
+# immediately and by default on new interfaces.
+security_disallow_source_routed_packet_forward_ipv4: yes     # RHEL-07-040350 / RHEL-07-040351
+security_disallow_source_routed_packet_forward_ipv6: yes     # RHEL-07-040860
+# Disallow responses to IPv4 ICMP echoes sent to broadcast address.
+security_disallow_echoes_broadcast_address: yes              # RHEL-07-040380
+# Disallow IPV4 ICMP redirects on all interfaces immediately and by default on
+# new interfaces.
+security_disallow_icmp_redirects: yes                        # RHEL-07-040410 / RHEL-07-040420 / RHEL-07-040421
+# Disallow IP forwarding.
+security_disallow_ip_forwarding: no                          # RHEL-07-040730
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -24,6 +24,11 @@
    tags:
      - always

+  - name: Gather additional variables about sysctl settings
+    include_vars: sysctl.yml
+    tags:
+      - always
+
  - name: Check for check/audit mode
    command: /bin/true
    register: noop_result
--- a/tasks/rhel7stig/kernel.yml
+++ b/tasks/rhel7stig/kernel.yml
@@ -0,0 +1,33 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Set sysctl configurations
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: "{{ item.enabled | ternary('present', 'absent') }}"
+    reload: yes
+  with_items: "{{ sysctl_settings_rhel7 }}"
+  tags:
+    - medium
+    - kernel
+    - RHEL-07-040350
+    - RHEL-07-040351
+    - RHEL-07-040380
+    - RHEL-07-040410
+    - RHEL-07-040420
+    - RHEL-07-040421
+    - RHEL-07-040730
+    - RHEL-07-040860
--- a/tasks/rhel7stig/main.yml
+++ b/tasks/rhel7stig/main.yml
@@ -47,6 +47,7 @@
 - include: auth.yml
 - include: file_perms.yml
 - include: graphical.yml
+- include: kernel.yml
 - include: misc.yml
 - include: sshd.yml

--- a/vars/sysctl.yml
+++ b/vars/sysctl.yml
@@ -0,0 +1,37 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+sysctl_settings_rhel7:
+  - name: net.ipv4.conf.all.accept_source_route
+    value: 0
+    enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}"
+  - name: net.ipv4.conf.default.accept_source_route
+    value: 0
+    enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}"
+  - name: net.ipv4.icmp_echo_ignore_broadcasts
+    value: 1
+    enabled: "{{ security_disallow_echoes_broadcast_address | bool }}"
+  - name: net.ipv4.conf.all.send_redirects
+    value: 0
+    enabled: "{{ security_disallow_icmp_redirects | bool }}"
+  - name: net.ipv4.conf.default.send_redirects
+    value: 0
+    enabled: "{{ security_disallow_icmp_redirects | bool }}"
+  - name: net.ipv4.ip_forward
+    value: 0
+    enabled: "{{ security_disallow_ip_forwarding | bool }}"
+  - name: net.ipv6.conf.all.accept_source_route
+    value: 0
+    enabled: "{{ security_disallow_source_routed_packet_forward_ipv6 | bool }}"