kernel - Kernel parameters¶
The Linux kernel has many parameters that can improve overall system security and most of these parameters can be changed while a system is running.
Overview¶
The security role applies several changes to kernel parameters and each of
these changes are controlled by Ansible variables. Review the ## Kernel
settings section within defaults/main.yml file for more information on
these changes.
One deviation appears in this section for IP forwarding. Review the
documentation for V-72309 below for more details.
STIG requirements¶
All of the tasks for these STIG requirements are included in
tasks/rhel7stig/kernel.yml.
V-71983¶
Summary: USB mass storage must be disabled.
Severity: Medium
Implementation Status: Opt-In
Deployer/Auditor notes¶
The tasks in the security role disable the usb-storage module and the
change is applied the next time the server is rebooted.
Deployers can opt out of this change by setting the following Ansible variable:
security_rhel7_disable_usb_storage: no
V-72057¶
Summary: Kernel core dumps must be disabled unless needed.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The kdump service is disabled if it exists on the system. Deployers can opt
out of this change by setting the following Ansible variable:
security_disable_kdump: no
V-72283¶
Summary: The system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The tasks in this role set net.ipv4.conf.all.accept_source_route and
net.ipv4.conf.default.accept_source_route to 0 by default. This
prevents the system from forwarding source-routed IPv4 packets on all
new and existing interfaces.
Deployers can opt out of this change by setting the following Ansible variable:
security_disallow_source_routed_packet_forward_ipv4: no
For more details on source routed packets, refer to the Red Hat documentation.
V-72285¶
Summary: The system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
This control is implemented by the tasks for another control:
V-72287¶
Summary: The system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The tasks in this role set net.ipv4.icmp_echo_ignore_broadcasts to 1
by default. This prevents the system from responding to IPv4 ICMP echoes sent
to the broadcast address.
Deployers can opt out of this change by setting the following Ansible variable:
security_disallow_echoes_broadcast_address: no
V-72291¶
Summary: The system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The tasks in this role set net.ipv4.conf.default.send_redirects and
net.ipv4.conf.all.send_redirects to 0 by default. This prevents a
system from sending IPv4 ICMP redirect packets on all new and existing
interfaces.
Deployers can opt out of this change by setting the following Ansible variable:
security_disallow_icmp_redirects: no
V-72293¶
Summary: The system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
This control is implemented by the tasks for another control:
V-72309¶
Summary: The system must not be performing packet forwarding unless the system is a router.
Severity: Medium
Implementation Status: Opt-In
Deployer/Auditor notes¶
Disabling IP forwarding on a system that routes packets or host virtual
machines might cause network interruptions. The tasks in this role do not
adjust the net.ipv4.ip_forward configuration by default.
Deployers can opt in for this change and disable IP forwarding by setting the following Ansible variable:
security_disallow_ip_forwarding: yes
Warning
IP forwarding is required in some environments. Always test in a non-production environment before changing this setting on a production system.
V-72319¶
Summary: The system must not forward IPv6 source-routed packets.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The tasks in this role set net.ipv6.conf.all.accept_source_route to 0
by default. This prevents the system from forwarding source-routed IPv6
packets.
Deployers can opt out of this change by setting the following Ansible variable:
security_disallow_source_routed_packet_forward_ipv6: no
Refer to “IPv6 source routing: history repeats itself” for more details on IPv6 source routed packets.
V-73175¶
Summary: The system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
This control is implemented by the tasks for another control:
V-77821¶
Summary: The Datagram Congestion Control Protocol (DCCP) kernel module must be disabled unless required.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
The ansible-hardening role disables the DCCP kernel module by default. Each system must be rebooted to fully apply the change.
Deployers can opt out of the change by setting the following Ansible variable:
security_rhel7_disable_dccp: no
V-77825¶
Summary: The operating system must implement virtual address space randomization.
Severity: Medium
Implementation Status: Implemented
Deployer/Auditor notes¶
Most modern systems enable Address Space Layout Randomization (ASLR) by
default (with a setting of 2), and the role ensures that the secure
default is maintained.
Deployers can opt out of the change by setting the following Ansible variable:
security_enable_aslr: no
For more details on the ASLR settings, review the sysctl documentation.
