Code Review / apex-tripleo-heat-templates.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 85cf5d0)
Add network sysctl tweaks for security
authorzshi <zshi@redhat.com>
Wed, 29 Mar 2017 08:17:46 +0000 (16:17 +0800)
committerzshi <zshi@redhat.com>
Wed, 29 Mar 2017 08:34:29 +0000 (16:34 +0800)
* Disable Kernel Parameter for Sending ICMP Redirects:
    - net.ipv4.conf.default.send_redirects = 0
    - net.ipv4.conf.all.send_redirects = 0

    Rationale: An attacker could use a compromised host
    to send invalid ICMP redirects to other router devices
    in an attempt to corrupt routing and have users access
    a system set up by the attacker as opposed to a valid
    system.

* Disable Kernel Parameter for Accepting ICMP Redirects:
    - net.ipv4.conf.default.accept_redirects = 0

    Rationale: Attackers could use bogus ICMP redirect
    messages to maliciously alter the system routing tables
    and get them to send packets to incorrect networks and
    allow your system packets to be captured.

* Disable Kernel Parameter for secure ICMP Redirects:
    - net.ipv4.conf.default.secure_redirects = 0
    - net.ipv4.conf.all.secure_redirects = 0

    Rationale: Secure ICMP redirects are the same as ICMP
    redirects, except they come from gateways listed on
    the default gateway list. It is assumed that these
    gateways are known to your system, and that they are
    likely to be secure.

* Enable Kernel Parameter to log suspicious packets:
    - net.ipv4.conf.default.log_martians = 1
    - net.ipv4.conf.all.log_martians = 1

    Rationale: Enabling this feature and logging these packets
    allows an administrator to investigate the possibility
    that an attacker is sending spoofed packets to their system.

* Ensure IPv6 redirects are not accepted by Default
    - net.ipv6.conf.all.accept_redirects = 0
    - net.ipv6.conf.default.accept_redirects = 0

    Rationale: It is recommended that systems not accept ICMP
    redirects as they could be tricked into routing traffic to
    compromised machines. Setting hard routes within the system
    (usually a single default route to a trusted router) protects
    the system from bad routes.

Change-Id: I2e8ab3141ee37ee6dd5a23d23dbb97c93610ea2e
Co-Authored-By: Luke Hinds <lhinds@redhat.com>
Signed-off-by: zshi <zshi@redhat.com>
puppet/services/kernel.yaml patch | blob | history
releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml [new file with mode: 0644] patch | blob
releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml [new file with mode: 0644] patch | blob

diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index ee4c771..380fb88 100644 (file)
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -39,6 +39,20 @@ outputs:
             value: 5
           net.ipv4.tcp_keepalive_time:
             value: 5
+          net.ipv4.conf.default.send_redirects:
+            value: 0
+          net.ipv4.conf.all.send_redirects:
+            value: 0
+          net.ipv4.conf.default.accept_redirects:
+            value: 0
+          net.ipv4.conf.default.secure_redirects:
+            value: 0
+          net.ipv4.conf.all.secure_redirects:
+            value: 0
+          net.ipv4.conf.default.log_martians:
+            value: 1
+          net.ipv4.conf.all.log_martians:
+            value: 1
           net.nf_conntrack_max:
             value: 500000
           net.netfilter.nf_conntrack_max:
@@ -52,6 +66,10 @@ outputs:
             value: 0
           net.ipv6.conf.default.autoconf:
             value: 0
+          net.ipv6.conf.default.accept_redirects:
+            value: 0
+          net.ipv6.conf.all.accept_redirects:
+            value: 0
           net.core.netdev_max_backlog:
             value: 10000
           kernel.pid_max:
diff --git a/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml
new file mode 100644 (file)
index 0000000..0f226a8
--- /dev/null
+++ b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml
@@ -0,0 +1,19 @@
+---
+upgrade:
+  - The net.ipv4.conf.default.send_redirects & net.ipv4.conf.all.send_redirects
+    are now set to 0 to prevent a compromised host from sending invalid ICMP
+    redirects to other router devices.
+  - The net.ipv4.conf.default.accept_redirects,
+    net.ipv6.conf.default.accept_redirects & net.ipv6.conf.all.accept_redirects
+    are now set to 0 to prevent forged ICMP packet from altering host's routing
+    tables.
+  - The net.ipv4.conf.default.secure_redirects &
+    net.ipv4.conf.all.secure_redirects are now set to 0 to disable acceptance
+    of secure ICMP redirected packets.
+security:
+  - Invalide ICMP redirects may corrupt routing and have users access a system
+    set up by the attacker as opposed to a valid system.
+  - Routing tables may be altered by bogus ICMP redirect messages and send
+    packets to incorrect networks.
+  - Secure ICMP redirects are the same as ICMP redirects, except they come from
+    gateways listed on the default gateway list.
diff --git a/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml
new file mode 100644 (file)
index 0000000..bb2543f
--- /dev/null
+++ b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml
@@ -0,0 +1,9 @@
+---
+upgrade:
+  - |
+    The net.ipv4.conf.default.log_martians & net.ipv4.conf.all.log_martians are
+    now set to 1 to enable logging of suspicious packets.
+security:
+  - |
+    Logging of suspicious packets allows an administrator to investigate the
+    spoofed packets sent to their system.