kernel - Kernel parameters¶

Deployer/Auditor notes¶

The tasks in the security role disable the usb-storage module and the change is applied the next time the server is rebooted.

Deployers can opt out of this change by setting the following Ansible variable:

security_rhel7_disable_usb_storage: no

Deployer/Auditor notes¶

The kdump service is disabled if it exists on the system. Deployers can opt out of this change by setting the following Ansible variable:

security_disable_kdump: no

Deployer/Auditor notes¶

The tasks in this role set net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 by default. This prevents the system from forwarding source-routed IPv4 packets on all new and existing interfaces.

Deployers can opt out of this change by setting the following Ansible variable:

security_disallow_source_routed_packet_forward_ipv4: no

For more details on source routed packets, refer to the Red Hat documentation.

Deployer/Auditor notes¶

This control is implemented by the tasks for another control:

• The system must not forward Internet Protocol version 4 (IPv4) source-routed packets. (V-72283)

Deployer/Auditor notes¶

The tasks in this role set net.ipv4.icmp_echo_ignore_broadcasts to 1 by default. This prevents the system from responding to IPv4 ICMP echoes sent to the broadcast address.

Deployers can opt out of this change by setting the following Ansible variable:

security_disallow_echoes_broadcast_address: no

Deployer/Auditor notes¶

The tasks in this role set net.ipv4.conf.default.send_redirects and net.ipv4.conf.all.send_redirects to 0 by default. This prevents a system from sending IPv4 ICMP redirect packets on all new and existing interfaces.

Deployers can opt out of this change by setting the following Ansible variable:

security_disallow_icmp_redirects: no

Deployer/Auditor notes¶

This control is implemented by the tasks for another control:

• The system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default. (V-72291)

Deployer/Auditor notes¶

Disabling IP forwarding on a system that routes packets or host virtual machines might cause network interruptions. The tasks in this role do not adjust the net.ipv4.ip_forward configuration by default.

Deployers can opt in for this change and disable IP forwarding by setting the following Ansible variable:

security_disallow_ip_forwarding: yes

Deployer/Auditor notes¶

The tasks in this role set net.ipv6.conf.all.accept_source_route to 0 by default. This prevents the system from forwarding source-routed IPv6 packets.

Deployers can opt out of this change by setting the following Ansible variable:

security_disallow_source_routed_packet_forward_ipv6: no

Refer to “IPv6 source routing: history repeats itself” for more details on IPv6 source routed packets.

Deployer/Auditor notes¶

This control is implemented by the tasks for another control:

• The system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. (V-72293)

Deployer/Auditor notes¶

The ansible-hardening role disables the DCCP kernel module by default. Each system must be rebooted to fully apply the change.

Deployers can opt out of the change by setting the following Ansible variable:

security_rhel7_disable_dccp: no

Deployer/Auditor notes¶

Most modern systems enable Address Space Layout Randomization (ASLR) by default (with a setting of 2), and the role ensures that the secure default is maintained.

Deployers can opt out of the change by setting the following Ansible variable:

security_enable_aslr: no

For more details on the ASLR settings, review the sysctl documentation.