From 716232cef66c857c09f1a1f01513d1b72343976e Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Tue, 15 Nov 2016 12:48:57 -0600 Subject: [PATCH] [Docs] Securing sysctl configurations This patch provides documentation for: https://review.openstack.org/397877 Implements: blueprint security-rhel7-stig Change-Id: I1719ccb5b9818f6477e515cba6b9d1d9b29e2ab4 --- doc/metadata/rhel7/RHEL-07-040350.rst | 18 +++++++++++++++--- doc/metadata/rhel7/RHEL-07-040351.rst | 8 +++++--- doc/metadata/rhel7/RHEL-07-040380.rst | 14 +++++++++++--- doc/metadata/rhel7/RHEL-07-040410.rst | 8 +++++--- doc/metadata/rhel7/RHEL-07-040420.rst | 15 ++++++++++++--- doc/metadata/rhel7/RHEL-07-040421.rst | 8 +++++--- doc/metadata/rhel7/RHEL-07-040730.rst | 21 ++++++++++++++++++--- doc/metadata/rhel7/RHEL-07-040860.rst | 17 ++++++++++++++--- 8 files changed, 85 insertions(+), 24 deletions(-) diff --git a/doc/metadata/rhel7/RHEL-07-040350.rst b/doc/metadata/rhel7/RHEL-07-040350.rst index 66b41ca9..e52bd234 100644 --- a/doc/metadata/rhel7/RHEL-07-040350.rst +++ b/doc/metadata/rhel7/RHEL-07-040350.rst @@ -1,7 +1,19 @@ --- id: RHEL-07-040350 -status: not implemented -tag: misc +status: implemented +tag: kernel --- -This STIG requirement is not yet implemented. +The tasks in this role set ``net.ipv4.conf.all.accept_source_route`` and +``net.ipv4.conf.default.accept_source_route`` to ``0`` by default. This +prevents the system from forwarding source-routed IPv4 packets on all +new and existing interfaces. + +Deployers can opt out of this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_disallow_source_routed_packet_forward_ipv4: no + +For more details on source routed packets, refer to the +`Red Hat documentation `_. diff --git a/doc/metadata/rhel7/RHEL-07-040351.rst b/doc/metadata/rhel7/RHEL-07-040351.rst index 74f1a626..f7112b69 100644 --- a/doc/metadata/rhel7/RHEL-07-040351.rst +++ b/doc/metadata/rhel7/RHEL-07-040351.rst @@ -1,7 +1,9 @@ --- id: RHEL-07-040351 -status: not implemented -tag: misc +status: implemented +tag: kernel --- -This STIG requirement is not yet implemented. +This control is implemented by the tasks for another control: + +* :ref:`stig-RHEL-07-040350` diff --git a/doc/metadata/rhel7/RHEL-07-040380.rst b/doc/metadata/rhel7/RHEL-07-040380.rst index a982c941..8f8e9c8c 100644 --- a/doc/metadata/rhel7/RHEL-07-040380.rst +++ b/doc/metadata/rhel7/RHEL-07-040380.rst @@ -1,7 +1,15 @@ --- id: RHEL-07-040380 -status: not implemented -tag: misc +status: implemented +tag: kernel --- -This STIG requirement is not yet implemented. +The tasks in this role set ``net.ipv4.icmp_echo_ignore_broadcasts`` to ``1`` +by default. This prevents the system from responding to IPv4 ICMP echoes sent +to the broadcast address. + +Deployers can opt out of this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_disallow_echoes_broadcast_address: no diff --git a/doc/metadata/rhel7/RHEL-07-040410.rst b/doc/metadata/rhel7/RHEL-07-040410.rst index db15f90a..d29f0a22 100644 --- a/doc/metadata/rhel7/RHEL-07-040410.rst +++ b/doc/metadata/rhel7/RHEL-07-040410.rst @@ -1,7 +1,9 @@ --- id: RHEL-07-040410 -status: not implemented -tag: misc +status: implemented +tag: kernel --- -This STIG requirement is not yet implemented. +This control is implemented by the tasks for another control: + +* :ref:`stig-RHEL-07-040421` diff --git a/doc/metadata/rhel7/RHEL-07-040420.rst b/doc/metadata/rhel7/RHEL-07-040420.rst index 1fb317eb..e4da09f1 100644 --- a/doc/metadata/rhel7/RHEL-07-040420.rst +++ b/doc/metadata/rhel7/RHEL-07-040420.rst @@ -1,7 +1,16 @@ --- id: RHEL-07-040420 -status: not implemented -tag: misc +status: implemented +tag: kernel --- -This STIG requirement is not yet implemented. +The tasks in this role set ``net.ipv4.conf.default.send_redirects`` and +``net.ipv4.conf.all.send_redirects`` to ``0`` by default. This prevents a +system from sending IPv4 ICMP redirect packets on all new and existing +interfaces. + +Deployers can opt out of this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_disallow_icmp_redirects: no diff --git a/doc/metadata/rhel7/RHEL-07-040421.rst b/doc/metadata/rhel7/RHEL-07-040421.rst index faabf377..b8b518bf 100644 --- a/doc/metadata/rhel7/RHEL-07-040421.rst +++ b/doc/metadata/rhel7/RHEL-07-040421.rst @@ -1,7 +1,9 @@ --- id: RHEL-07-040421 -status: not implemented -tag: misc +status: implemented +tag: kernel --- -This STIG requirement is not yet implemented. +This control is implemented by the tasks for another control: + +* :ref:`stig-RHEL-07-040420` diff --git a/doc/metadata/rhel7/RHEL-07-040730.rst b/doc/metadata/rhel7/RHEL-07-040730.rst index f2716649..da9e6d09 100644 --- a/doc/metadata/rhel7/RHEL-07-040730.rst +++ b/doc/metadata/rhel7/RHEL-07-040730.rst @@ -1,7 +1,22 @@ --- id: RHEL-07-040730 -status: not implemented -tag: misc +status: opt-in +tag: kernel --- -This STIG requirement is not yet implemented. +Disabling IP forwarding on a system that routes packets or host virtual +machines might cause network interruptions. The tasks in this role do not +adjust the ``net.ipv4.ip_forward`` configuration by default. + +Deployers can opt in for this change and disable IP forwarding by setting the +following Ansible variable: + +.. code-block:: yaml + + security_disallow_ip_forwarding: yes + +.. warning:: + + IP forwarding is required in some environments. Always test in a + non-production environment before changing this setting on a production + system. diff --git a/doc/metadata/rhel7/RHEL-07-040860.rst b/doc/metadata/rhel7/RHEL-07-040860.rst index d7e58dee..f90e850a 100644 --- a/doc/metadata/rhel7/RHEL-07-040860.rst +++ b/doc/metadata/rhel7/RHEL-07-040860.rst @@ -1,7 +1,18 @@ --- id: RHEL-07-040860 -status: not implemented -tag: misc +status: implemented +tag: kernel --- -This STIG requirement is not yet implemented. +The tasks in this role set ``net.ipv6.conf.all.accept_source_route`` to ``0`` +by default. This prevents the system from forwarding source-routed IPv6 +packets. + +Deployers can opt out of this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_disallow_source_routed_packet_forward_ipv6: no + +Refer to `"IPv6 source routing: history repeats itself" `_ +for more details on IPv6 source routed packets.