The Linux kernel has many parameters that can improve overall system security and most of these parameters can be changed while a system is running.
The security role applies several changes to kernel parameters and each of
these changes are controlled by Ansible variables. Review the ## Kernel
settings
section within defaults/main.yml
file for more information on
these changes.
One deviation appears in this section for IP forwarding. Review the
documentation for V-72309
below for more details.
All of the tasks for these STIG requirements are included in
tasks/rhel7stig/kernel.yml
.
The tasks in the security role disable the usb-storage
module and the
change is applied the next time the server is rebooted.
Deployers can opt out of this change by setting the following Ansible variable:
security_rhel7_disable_usb_storage: no
The kdump
service is disabled if it exists on the system. Deployers can opt
out of this change by setting the following Ansible variable:
security_disable_kdump: no
The tasks in this role set net.ipv4.conf.all.accept_source_route
and
net.ipv4.conf.default.accept_source_route
to 0
by default. This
prevents the system from forwarding source-routed IPv4 packets on all
new and existing interfaces.
Deployers can opt out of this change by setting the following Ansible variable:
security_disallow_source_routed_packet_forward_ipv4: no
For more details on source routed packets, refer to the Red Hat documentation.
This control is implemented by the tasks for another control:
The tasks in this role set net.ipv4.icmp_echo_ignore_broadcasts
to 1
by default. This prevents the system from responding to IPv4 ICMP echoes sent
to the broadcast address.
Deployers can opt out of this change by setting the following Ansible variable:
security_disallow_echoes_broadcast_address: no
The tasks in this role set net.ipv4.conf.default.send_redirects
and
net.ipv4.conf.all.send_redirects
to 0
by default. This prevents a
system from sending IPv4 ICMP redirect packets on all new and existing
interfaces.
Deployers can opt out of this change by setting the following Ansible variable:
security_disallow_icmp_redirects: no
This control is implemented by the tasks for another control:
Disabling IP forwarding on a system that routes packets or host virtual
machines might cause network interruptions. The tasks in this role do not
adjust the net.ipv4.ip_forward
configuration by default.
Deployers can opt in for this change and disable IP forwarding by setting the following Ansible variable:
security_disallow_ip_forwarding: yes
Warning
IP forwarding is required in some environments. Always test in a non-production environment before changing this setting on a production system.
The tasks in this role set net.ipv6.conf.all.accept_source_route
to 0
by default. This prevents the system from forwarding source-routed IPv6
packets.
Deployers can opt out of this change by setting the following Ansible variable:
security_disallow_source_routed_packet_forward_ipv6: no
Refer to “IPv6 source routing: history repeats itself” for more details on IPv6 source routed packets.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.