From 7268d1ae146bb9aa5e23ee3330457a4eb5a71fd8 Mon Sep 17 00:00:00 2001
From: zshi <zshi@redhat.com>
Date: Wed, 29 Mar 2017 16:17:46 +0800
Subject: Add network sysctl tweaks for security

* Disable Kernel Parameter for Sending ICMP Redirects:
    - net.ipv4.conf.default.send_redirects = 0
    - net.ipv4.conf.all.send_redirects = 0

    Rationale: An attacker could use a compromised host
    to send invalid ICMP redirects to other router devices
    in an attempt to corrupt routing and have users access
    a system set up by the attacker as opposed to a valid
    system.

* Disable Kernel Parameter for Accepting ICMP Redirects:
    - net.ipv4.conf.default.accept_redirects = 0

    Rationale: Attackers could use bogus ICMP redirect
    messages to maliciously alter the system routing tables
    and get them to send packets to incorrect networks and
    allow your system packets to be captured.

* Disable Kernel Parameter for secure ICMP Redirects:
    - net.ipv4.conf.default.secure_redirects = 0
    - net.ipv4.conf.all.secure_redirects = 0

    Rationale: Secure ICMP redirects are the same as ICMP
    redirects, except they come from gateways listed on
    the default gateway list. It is assumed that these
    gateways are known to your system, and that they are
    likely to be secure.

* Enable Kernel Parameter to log suspicious packets:
    - net.ipv4.conf.default.log_martians = 1
    - net.ipv4.conf.all.log_martians = 1

    Rationale: Enabling this feature and logging these packets
    allows an administrator to investigate the possibility
    that an attacker is sending spoofed packets to their system.

* Ensure IPv6 redirects are not accepted by Default
    - net.ipv6.conf.all.accept_redirects = 0
    - net.ipv6.conf.default.accept_redirects = 0

    Rationale: It is recommended that systems not accept ICMP
    redirects as they could be tricked into routing traffic to
    compromised machines. Setting hard routes within the system
    (usually a single default route to a trusted router) protects
    the system from bad routes.

Change-Id: I2e8ab3141ee37ee6dd5a23d23dbb97c93610ea2e
Co-Authored-By: Luke Hinds <lhinds@redhat.com>
Signed-off-by: zshi <zshi@redhat.com>
---
 puppet/services/kernel.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'puppet/services/kernel.yaml')

diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index ee4c771f..380fb882 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -39,6 +39,20 @@ outputs:
             value: 5
           net.ipv4.tcp_keepalive_time:
             value: 5
+          net.ipv4.conf.default.send_redirects:
+            value: 0
+          net.ipv4.conf.all.send_redirects:
+            value: 0
+          net.ipv4.conf.default.accept_redirects:
+            value: 0
+          net.ipv4.conf.default.secure_redirects:
+            value: 0
+          net.ipv4.conf.all.secure_redirects:
+            value: 0
+          net.ipv4.conf.default.log_martians:
+            value: 1
+          net.ipv4.conf.all.log_martians:
+            value: 1
           net.nf_conntrack_max:
             value: 500000
           net.netfilter.nf_conntrack_max:
@@ -52,6 +66,10 @@ outputs:
             value: 0
           net.ipv6.conf.default.autoconf:
             value: 0
+          net.ipv6.conf.default.accept_redirects:
+            value: 0
+          net.ipv6.conf.all.accept_redirects:
+            value: 0
           net.core.netdev_max_backlog:
             value: 10000
           kernel.pid_max:
-- 
cgit 1.2.3-korg