diff --git a/defaults/main.yml b/defaults/main.yml index 862dcc3d..f57d7eca 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -506,3 +506,16 @@ security_sshd_enable_privilege_separation: yes # RHEL-07-040690 security_sshd_enable_strict_modes: yes # RHEL-07-040680 # Disallow Kerberos authentication. security_sshd_disable_kerberos_auth: yes # RHEL-07-040670 + +## sysctl settings (kernel) +# Disallow forwarding IPv4/IPv6 source routed packets on all interfaces +# immediately and by default on new interfaces. +security_disallow_source_routed_packet_forward_ipv4: yes # RHEL-07-040350 / RHEL-07-040351 +security_disallow_source_routed_packet_forward_ipv6: yes # RHEL-07-040860 +# Disallow responses to IPv4 ICMP echoes sent to broadcast address. +security_disallow_echoes_broadcast_address: yes # RHEL-07-040380 +# Disallow IPV4 ICMP redirects on all interfaces immediately and by default on +# new interfaces. +security_disallow_icmp_redirects: yes # RHEL-07-040410 / RHEL-07-040420 / RHEL-07-040421 +# Disallow IP forwarding. +security_disallow_ip_forwarding: no # RHEL-07-040730 diff --git a/tasks/main.yml b/tasks/main.yml index 5325c963..04f09110 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -24,6 +24,11 @@ tags: - always + - name: Gather additional variables about sysctl settings + include_vars: sysctl.yml + tags: + - always + - name: Check for check/audit mode command: /bin/true register: noop_result diff --git a/tasks/rhel7stig/kernel.yml b/tasks/rhel7stig/kernel.yml new file mode 100644 index 00000000..d52fdf35 --- /dev/null +++ b/tasks/rhel7stig/kernel.yml @@ -0,0 +1,33 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Set sysctl configurations + sysctl: + name: "{{ item.name }}" + value: "{{ item.value }}" + state: "{{ item.enabled | ternary('present', 'absent') }}" + reload: yes + with_items: "{{ sysctl_settings_rhel7 }}" + tags: + - medium + - kernel + - RHEL-07-040350 + - RHEL-07-040351 + - RHEL-07-040380 + - RHEL-07-040410 + - RHEL-07-040420 + - RHEL-07-040421 + - RHEL-07-040730 + - RHEL-07-040860 diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml index a45cdf15..9e1b5657 100644 --- a/tasks/rhel7stig/main.yml +++ b/tasks/rhel7stig/main.yml @@ -47,6 +47,7 @@ - include: auth.yml - include: file_perms.yml - include: graphical.yml +- include: kernel.yml - include: misc.yml - include: sshd.yml diff --git a/vars/sysctl.yml b/vars/sysctl.yml new file mode 100644 index 00000000..28f3261d --- /dev/null +++ b/vars/sysctl.yml @@ -0,0 +1,37 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +sysctl_settings_rhel7: + - name: net.ipv4.conf.all.accept_source_route + value: 0 + enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}" + - name: net.ipv4.conf.default.accept_source_route + value: 0 + enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}" + - name: net.ipv4.icmp_echo_ignore_broadcasts + value: 1 + enabled: "{{ security_disallow_echoes_broadcast_address | bool }}" + - name: net.ipv4.conf.all.send_redirects + value: 0 + enabled: "{{ security_disallow_icmp_redirects | bool }}" + - name: net.ipv4.conf.default.send_redirects + value: 0 + enabled: "{{ security_disallow_icmp_redirects | bool }}" + - name: net.ipv4.ip_forward + value: 0 + enabled: "{{ security_disallow_ip_forwarding | bool }}" + - name: net.ipv6.conf.all.accept_source_route + value: 0 + enabled: "{{ security_disallow_source_routed_packet_forward_ipv6 | bool }}"