kernel - Kernel parameters

kernel - Kernel parameters

The Linux kernel has many parameters that can improve overall system security and most of these parameters can be changed while a system is running.

Overview

The security role applies several changes to kernel parameters and each of these changes are controlled by Ansible variables. Review the ## Kernel settings section within defaults/main.yml file for more information on these changes.

One deviation appears in this section for IP forwarding. Review the documentation for V-72309 below for more details.

STIG requirements

All of the tasks for these STIG requirements are included in tasks/rhel7stig/kernel.yml.

V-71983

  • Summary: USB mass storage must be disabled.
  • Severity: Medium
  • Implementation Status: Opt-In

Deployer/Auditor notes

The tasks in the security role disable the usb-storage module and the change is applied the next time the server is rebooted.

Deployers can opt out of this change by setting the following Ansible variable:

security_rhel7_disable_usb_storage: no

V-72057

  • Summary: Kernel core dumps must be disabled unless needed.
  • Severity: Medium
  • Implementation Status: Implemented

Deployer/Auditor notes

The kdump service is disabled if it exists on the system. Deployers can opt out of this change by setting the following Ansible variable:

security_disable_kdump: no

V-72283

  • Summary: The system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
  • Severity: Medium
  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks in this role set net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 by default. This prevents the system from forwarding source-routed IPv4 packets on all new and existing interfaces.

Deployers can opt out of this change by setting the following Ansible variable:

security_disallow_source_routed_packet_forward_ipv4: no

For more details on source routed packets, refer to the Red Hat documentation.


V-72285

  • Summary: The system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
  • Severity: Medium
  • Implementation Status: Implemented

Deployer/Auditor notes

This control is implemented by the tasks for another control:


V-72287

  • Summary: The system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
  • Severity: Medium
  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks in this role set net.ipv4.icmp_echo_ignore_broadcasts to 1 by default. This prevents the system from responding to IPv4 ICMP echoes sent to the broadcast address.

Deployers can opt out of this change by setting the following Ansible variable:

security_disallow_echoes_broadcast_address: no

V-72291

  • Summary: The system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
  • Severity: Medium
  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks in this role set net.ipv4.conf.default.send_redirects and net.ipv4.conf.all.send_redirects to 0 by default. This prevents a system from sending IPv4 ICMP redirect packets on all new and existing interfaces.

Deployers can opt out of this change by setting the following Ansible variable:

security_disallow_icmp_redirects: no

V-72293

  • Summary: The system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
  • Severity: Medium
  • Implementation Status: Implemented

V-72309

  • Summary: The system must not be performing packet forwarding unless the system is a router.
  • Severity: Medium
  • Implementation Status: Opt-In

Deployer/Auditor notes

Disabling IP forwarding on a system that routes packets or host virtual machines might cause network interruptions. The tasks in this role do not adjust the net.ipv4.ip_forward configuration by default.

Deployers can opt in for this change and disable IP forwarding by setting the following Ansible variable:

security_disallow_ip_forwarding: yes

Warning

IP forwarding is required in some environments. Always test in a non-production environment before changing this setting on a production system.


V-72319

  • Summary: The system must not forward IPv6 source-routed packets.
  • Severity: Medium
  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks in this role set net.ipv6.conf.all.accept_source_route to 0 by default. This prevents the system from forwarding source-routed IPv6 packets.

Deployers can opt out of this change by setting the following Ansible variable:

security_disallow_source_routed_packet_forward_ipv6: no

Refer to “IPv6 source routing: history repeats itself” for more details on IPv6 source routed packets.


V-73175

  • Summary: The system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
  • Severity: Medium
  • Implementation Status: Implemented

Deployer/Auditor notes

This control is implemented by the tasks for another control:

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.