diff options
author | Jenkins <jenkins@review.openstack.org> | 2017-04-06 09:41:00 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2017-04-06 09:41:00 +0000 |
commit | 886d9afc793fa2a719b32270df4b2fb453a02ad7 (patch) | |
tree | 8a72c30c5ff5da330957685dbfc8baf94d35a591 /releasenotes | |
parent | 35d70db4c1f6b8f2f28835ef1880b58d3cb551d6 (diff) | |
parent | 7268d1ae146bb9aa5e23ee3330457a4eb5a71fd8 (diff) |
Merge "Add network sysctl tweaks for security"
Diffstat (limited to 'releasenotes')
-rw-r--r-- | releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml | 19 | ||||
-rw-r--r-- | releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml | 9 |
2 files changed, 28 insertions, 0 deletions
diff --git a/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml new file mode 100644 index 00000000..0f226a84 --- /dev/null +++ b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml @@ -0,0 +1,19 @@ +--- +upgrade: + - The net.ipv4.conf.default.send_redirects & net.ipv4.conf.all.send_redirects + are now set to 0 to prevent a compromised host from sending invalid ICMP + redirects to other router devices. + - The net.ipv4.conf.default.accept_redirects, + net.ipv6.conf.default.accept_redirects & net.ipv6.conf.all.accept_redirects + are now set to 0 to prevent forged ICMP packet from altering host's routing + tables. + - The net.ipv4.conf.default.secure_redirects & + net.ipv4.conf.all.secure_redirects are now set to 0 to disable acceptance + of secure ICMP redirected packets. +security: + - Invalide ICMP redirects may corrupt routing and have users access a system + set up by the attacker as opposed to a valid system. + - Routing tables may be altered by bogus ICMP redirect messages and send + packets to incorrect networks. + - Secure ICMP redirects are the same as ICMP redirects, except they come from + gateways listed on the default gateway list. diff --git a/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml new file mode 100644 index 00000000..bb2543f2 --- /dev/null +++ b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + The net.ipv4.conf.default.log_martians & net.ipv4.conf.all.log_martians are + now set to 1 to enable logging of suspicious packets. +security: + - | + Logging of suspicious packets allows an administrator to investigate the + spoofed packets sent to their system. |