From 746816cc965a251836b75a742b6a213add431192 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Wed, 16 Nov 2016 09:58:17 -0600
Subject: [PATCH] Securing sysctl configurations

This patch adds tasks to secure various network-related settings
via sysctl. Documentation will be in a follow-on patch.

Controls implemented:

  - RHEL-07-040350
  - RHEL-07-040351
  - RHEL-07-040380
  - RHEL-07-040410
  - RHEL-07-040420
  - RHEL-07-040421
  - RHEL-07-040730
  - RHEL-07-040860

Implements: blueprint security-rhel7-stig
Change-Id: I35f82165ccb2ea0e17ea32030968b7f33b1a073a
---
 defaults/main.yml          | 13 +++++++++++++
 tasks/main.yml             |  5 +++++
 tasks/rhel7stig/kernel.yml | 33 +++++++++++++++++++++++++++++++++
 tasks/rhel7stig/main.yml   |  1 +
 vars/sysctl.yml            | 37 +++++++++++++++++++++++++++++++++++++
 5 files changed, 89 insertions(+)
 create mode 100644 tasks/rhel7stig/kernel.yml
 create mode 100644 vars/sysctl.yml

diff --git a/defaults/main.yml b/defaults/main.yml
index a8a1ef82..58ffb7c8 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -495,3 +495,16 @@ security_sshd_enable_privilege_separation: yes               # RHEL-07-040690
 security_sshd_enable_strict_modes: yes                       # RHEL-07-040680
 # Disallow Kerberos authentication.
 security_sshd_disable_kerberos_auth: yes                     # RHEL-07-040670
+
+## sysctl settings (kernel)
+# Disallow forwarding IPv4/IPv6 source routed packets on all interfaces
+# immediately and by default on new interfaces.
+security_disallow_source_routed_packet_forward_ipv4: yes     # RHEL-07-040350 / RHEL-07-040351
+security_disallow_source_routed_packet_forward_ipv6: yes     # RHEL-07-040860
+# Disallow responses to IPv4 ICMP echoes sent to broadcast address.
+security_disallow_echoes_broadcast_address: yes              # RHEL-07-040380
+# Disallow IPV4 ICMP redirects on all interfaces immediately and by default on
+# new interfaces.
+security_disallow_icmp_redirects: yes                        # RHEL-07-040410 / RHEL-07-040420 / RHEL-07-040421
+# Disallow IP forwarding.
+security_disallow_ip_forwarding: no                          # RHEL-07-040730
diff --git a/tasks/main.yml b/tasks/main.yml
index 5325c963..04f09110 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -24,6 +24,11 @@
     tags:
       - always
 
+  - name: Gather additional variables about sysctl settings
+    include_vars: sysctl.yml
+    tags:
+      - always
+
   - name: Check for check/audit mode
     command: /bin/true
     register: noop_result
diff --git a/tasks/rhel7stig/kernel.yml b/tasks/rhel7stig/kernel.yml
new file mode 100644
index 00000000..d52fdf35
--- /dev/null
+++ b/tasks/rhel7stig/kernel.yml
@@ -0,0 +1,33 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Set sysctl configurations
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: "{{ item.enabled | ternary('present', 'absent') }}"
+    reload: yes
+  with_items: "{{ sysctl_settings_rhel7 }}"
+  tags:
+    - medium
+    - kernel
+    - RHEL-07-040350
+    - RHEL-07-040351
+    - RHEL-07-040380
+    - RHEL-07-040410
+    - RHEL-07-040420
+    - RHEL-07-040421
+    - RHEL-07-040730
+    - RHEL-07-040860
diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml
index a45cdf15..9e1b5657 100644
--- a/tasks/rhel7stig/main.yml
+++ b/tasks/rhel7stig/main.yml
@@ -47,6 +47,7 @@
 - include: auth.yml
 - include: file_perms.yml
 - include: graphical.yml
+- include: kernel.yml
 - include: misc.yml
 - include: sshd.yml
 
diff --git a/vars/sysctl.yml b/vars/sysctl.yml
new file mode 100644
index 00000000..28f3261d
--- /dev/null
+++ b/vars/sysctl.yml
@@ -0,0 +1,37 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+sysctl_settings_rhel7:
+  - name: net.ipv4.conf.all.accept_source_route
+    value: 0
+    enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}"
+  - name: net.ipv4.conf.default.accept_source_route
+    value: 0
+    enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}"
+  - name: net.ipv4.icmp_echo_ignore_broadcasts
+    value: 1
+    enabled: "{{ security_disallow_echoes_broadcast_address | bool }}"
+  - name: net.ipv4.conf.all.send_redirects
+    value: 0
+    enabled: "{{ security_disallow_icmp_redirects | bool }}"
+  - name: net.ipv4.conf.default.send_redirects
+    value: 0
+    enabled: "{{ security_disallow_icmp_redirects | bool }}"
+  - name: net.ipv4.ip_forward
+    value: 0
+    enabled: "{{ security_disallow_ip_forwarding | bool }}"
+  - name: net.ipv6.conf.all.accept_source_route
+    value: 0
+    enabled: "{{ security_disallow_source_routed_packet_forward_ipv6 | bool }}"