kernel - Kernel parameters

updated: 2019-10-14 18:16

kernel - Kernel parameters¶

The Linux kernel has many parameters that can improve overall system security and most of these parameters can be changed while a system is running.

Overview¶

The security role applies several changes to kernel parameters and each of these changes are controlled by Ansible variables. Review the ## Kernel settings section within defaults/main.yml file for more information on these changes.

One deviation appears in this section for IP forwarding. Review the documentation for V-72309 below for more details.

STIG requirements¶

All of the tasks for these STIG requirements are included in tasks/rhel7stig/kernel.yml.

V-71983¶

Summary: USB mass storage must be disabled.
Severity: Medium
Implementation Status: Opt-In

Deployer/Auditor notes¶

The tasks in the security role disable the usb-storage module and the change is applied the next time the server is rebooted.

Deployers can opt out of this change by setting the following Ansible variable:

security_rhel7_disable_usb_storage: no

V-72057¶

Summary: Kernel core dumps must be disabled unless needed.
Severity: Medium
Implementation Status: Implemented

Deployer/Auditor notes¶

The kdump service is disabled if it exists on the system. Deployers can opt out of this change by setting the following Ansible variable:

security_disable_kdump: no

V-72283¶

Summary: The system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
Severity: Medium
Implementation Status: Implemented

Deployer/Auditor notes¶

The tasks in this role set net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 by default. This prevents the system from forwarding source-routed IPv4 packets on all new and existing interfaces.

Deployers can opt out of this change by setting the following Ansible variable:

security_disallow_source_routed_packet_forward_ipv4: no

For more details on source routed packets, refer to the Red Hat documentation.

V-72285¶

Summary: The system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
Severity: Medium
Implementation Status: Implemented

Deployer/Auditor notes¶

This control is implemented by the tasks for another control:

The system must not forward Internet Protocol version 4 (IPv4) source-routed packets. (V-72283)

V-72287¶

Summary: The system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
Severity: Medium
Implementation Status: Implemented

Deployer/Auditor notes¶

The tasks in this role set net.ipv4.icmp_echo_ignore_broadcasts to 1 by default. This prevents the system from responding to IPv4 ICMP echoes sent to the broadcast address.

Deployers can opt out of this change by setting the following Ansible variable:

security_disallow_echoes_broadcast_address: no

V-72291¶

Summary: The system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
Severity: Medium
Implementation Status: Implemented

Deployer/Auditor notes¶

The tasks in this role set net.ipv4.conf.default.send_redirects and net.ipv4.conf.all.send_redirects to 0 by default. This prevents a system from sending IPv4 ICMP redirect packets on all new and existing interfaces.

Deployers can opt out of this change by setting the following Ansible variable:

security_disallow_icmp_redirects: no

V-72293¶

Summary: The system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
Severity: Medium
Implementation Status: Implemented

Deployer/Auditor notes¶

This control is implemented by the tasks for another control:

The system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default. (V-72291)

V-72309¶

Summary: The system must not be performing packet forwarding unless the system is a router.
Severity: Medium
Implementation Status: Opt-In

Deployer/Auditor notes¶

Disabling IP forwarding on a system that routes packets or host virtual machines might cause network interruptions. The tasks in this role do not adjust the net.ipv4.ip_forward configuration by default.

Deployers can opt in for this change and disable IP forwarding by setting the following Ansible variable:

security_disallow_ip_forwarding: yes

Warning

IP forwarding is required in some environments. Always test in a non-production environment before changing this setting on a production system.

V-72319¶

Summary: The system must not forward IPv6 source-routed packets.
Severity: Medium
Implementation Status: Implemented

Deployer/Auditor notes¶

The tasks in this role set net.ipv6.conf.all.accept_source_route to 0 by default. This prevents the system from forwarding source-routed IPv6 packets.

Deployers can opt out of this change by setting the following Ansible variable:

security_disallow_source_routed_packet_forward_ipv6: no

Refer to “IPv6 source routing: history repeats itself” for more details on IPv6 source routed packets.

V-73175¶

Summary: The system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
Severity: Medium
Implementation Status: Implemented

Deployer/Auditor notes¶

This control is implemented by the tasks for another control:

The system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. (V-72293)

updated: 2019-10-14 18:16

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.