Merge "[Docs] Securing sysctl configurations"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
3d04cde3e7
@ -1,7 +1,19 @@
|
|||||||
---
|
---
|
||||||
id: RHEL-07-040350
|
id: RHEL-07-040350
|
||||||
status: not implemented
|
status: implemented
|
||||||
tag: misc
|
tag: kernel
|
||||||
---
|
---
|
||||||
|
|
||||||
This STIG requirement is not yet implemented.
|
The tasks in this role set ``net.ipv4.conf.all.accept_source_route`` and
|
||||||
|
``net.ipv4.conf.default.accept_source_route`` to ``0`` by default. This
|
||||||
|
prevents the system from forwarding source-routed IPv4 packets on all
|
||||||
|
new and existing interfaces.
|
||||||
|
|
||||||
|
Deployers can opt out of this change by setting the following Ansible variable:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
security_disallow_source_routed_packet_forward_ipv4: no
|
||||||
|
|
||||||
|
For more details on source routed packets, refer to the
|
||||||
|
`Red Hat documentation <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Server_Security-Disable-Source-Routing.html>`_.
|
||||||
|
|||||||
@ -1,7 +1,9 @@
|
|||||||
---
|
---
|
||||||
id: RHEL-07-040351
|
id: RHEL-07-040351
|
||||||
status: not implemented
|
status: implemented
|
||||||
tag: misc
|
tag: kernel
|
||||||
---
|
---
|
||||||
|
|
||||||
This STIG requirement is not yet implemented.
|
This control is implemented by the tasks for another control:
|
||||||
|
|
||||||
|
* :ref:`stig-RHEL-07-040350`
|
||||||
|
|||||||
@ -1,7 +1,15 @@
|
|||||||
---
|
---
|
||||||
id: RHEL-07-040380
|
id: RHEL-07-040380
|
||||||
status: not implemented
|
status: implemented
|
||||||
tag: misc
|
tag: kernel
|
||||||
---
|
---
|
||||||
|
|
||||||
This STIG requirement is not yet implemented.
|
The tasks in this role set ``net.ipv4.icmp_echo_ignore_broadcasts`` to ``1``
|
||||||
|
by default. This prevents the system from responding to IPv4 ICMP echoes sent
|
||||||
|
to the broadcast address.
|
||||||
|
|
||||||
|
Deployers can opt out of this change by setting the following Ansible variable:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
security_disallow_echoes_broadcast_address: no
|
||||||
|
|||||||
@ -1,7 +1,9 @@
|
|||||||
---
|
---
|
||||||
id: RHEL-07-040410
|
id: RHEL-07-040410
|
||||||
status: not implemented
|
status: implemented
|
||||||
tag: misc
|
tag: kernel
|
||||||
---
|
---
|
||||||
|
|
||||||
This STIG requirement is not yet implemented.
|
This control is implemented by the tasks for another control:
|
||||||
|
|
||||||
|
* :ref:`stig-RHEL-07-040421`
|
||||||
|
|||||||
@ -1,7 +1,16 @@
|
|||||||
---
|
---
|
||||||
id: RHEL-07-040420
|
id: RHEL-07-040420
|
||||||
status: not implemented
|
status: implemented
|
||||||
tag: misc
|
tag: kernel
|
||||||
---
|
---
|
||||||
|
|
||||||
This STIG requirement is not yet implemented.
|
The tasks in this role set ``net.ipv4.conf.default.send_redirects`` and
|
||||||
|
``net.ipv4.conf.all.send_redirects`` to ``0`` by default. This prevents a
|
||||||
|
system from sending IPv4 ICMP redirect packets on all new and existing
|
||||||
|
interfaces.
|
||||||
|
|
||||||
|
Deployers can opt out of this change by setting the following Ansible variable:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
security_disallow_icmp_redirects: no
|
||||||
|
|||||||
@ -1,7 +1,9 @@
|
|||||||
---
|
---
|
||||||
id: RHEL-07-040421
|
id: RHEL-07-040421
|
||||||
status: not implemented
|
status: implemented
|
||||||
tag: misc
|
tag: kernel
|
||||||
---
|
---
|
||||||
|
|
||||||
This STIG requirement is not yet implemented.
|
This control is implemented by the tasks for another control:
|
||||||
|
|
||||||
|
* :ref:`stig-RHEL-07-040420`
|
||||||
|
|||||||
@ -1,7 +1,22 @@
|
|||||||
---
|
---
|
||||||
id: RHEL-07-040730
|
id: RHEL-07-040730
|
||||||
status: not implemented
|
status: opt-in
|
||||||
tag: misc
|
tag: kernel
|
||||||
---
|
---
|
||||||
|
|
||||||
This STIG requirement is not yet implemented.
|
Disabling IP forwarding on a system that routes packets or host virtual
|
||||||
|
machines might cause network interruptions. The tasks in this role do not
|
||||||
|
adjust the ``net.ipv4.ip_forward`` configuration by default.
|
||||||
|
|
||||||
|
Deployers can opt in for this change and disable IP forwarding by setting the
|
||||||
|
following Ansible variable:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
security_disallow_ip_forwarding: yes
|
||||||
|
|
||||||
|
.. warning::
|
||||||
|
|
||||||
|
IP forwarding is required in some environments. Always test in a
|
||||||
|
non-production environment before changing this setting on a production
|
||||||
|
system.
|
||||||
|
|||||||
@ -1,7 +1,18 @@
|
|||||||
---
|
---
|
||||||
id: RHEL-07-040860
|
id: RHEL-07-040860
|
||||||
status: not implemented
|
status: implemented
|
||||||
tag: misc
|
tag: kernel
|
||||||
---
|
---
|
||||||
|
|
||||||
This STIG requirement is not yet implemented.
|
The tasks in this role set ``net.ipv6.conf.all.accept_source_route`` to ``0``
|
||||||
|
by default. This prevents the system from forwarding source-routed IPv6
|
||||||
|
packets.
|
||||||
|
|
||||||
|
Deployers can opt out of this change by setting the following Ansible variable:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
security_disallow_source_routed_packet_forward_ipv6: no
|
||||||
|
|
||||||
|
Refer to `"IPv6 source routing: history repeats itself" <https://lwn.net/Articles/232781/>`_
|
||||||
|
for more details on IPv6 source routed packets.
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user