Fuel for OpenStack

Fuel master sysctl.conf security hardening

Bug #1648789 reported by Adam Heczko on 2016-12-09

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Won't Fix	Medium	Stanislaw Bogatkin	Fuel for OpenStack 11.0
Nominated for Ocata by Oleksiy Molchanov
	8.0.x	Won't Fix	Medium	Stanislaw Bogatkin	Fuel for OpenStack 8.0-updates
	Mitaka	Won't Fix	Medium	Stanislaw Bogatkin	Fuel for OpenStack 9.x-updates
	Newton	Won't Fix	Medium	Stanislaw Bogatkin	Fuel for OpenStack 10.1

Bug Description

Detailed bug description:
Observe Linux network stack sysctl values of Fuel master node.

Expected results:
generic-ip-source-routing-enabled
For Linux systems ensure the following sysctl values are set:
* net.ipv4.conf.all.accept_source_route=0
* net.ipv4.conf.all.forwarding=0
* net.ipv6.conf.all.forwarding=0
* net.ipv4.conf.all.mc_forwarding=0
* net.ipv6.conf.all.mc_forwarding=0

sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.all.forwarding=0
sysctl -w net.ipv6.conf.all.forwarding=0
sysctl -w net.ipv4.conf.all.mc_forwarding=0
sysctl -w net.ipv6.conf.all.mc_forwarding=0

More Linux information can be found at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Server_Security-Disable-Source-Routing.html

linux-icmp-redirect
Disable ICMP redirect support
Issue the following commands as root:
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
These settings can be added to /etc/sysctl.conf to make them permanent.

generic-tcp-timestamp
Disable TCP timestamp responses on Linux
Set the value of net.ipv4.tcp_timestamps to 0 by running the following command:
sysctl -w net.ipv4.tcp_timestamps=0
Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf:
net.ipv4.tcp_timestamps=0

Tags:

Adam Heczko (aheczko-mirantis) on 2016-12-09

Changed in fuel:
importance:	Undecided → Medium

Oleksiy Molchanov (omolchanov) on 2016-12-12

Changed in fuel:
milestone:	10.1 → 11.0
assignee:	nobody → Fuel Sustaining (fuel-sustaining-team)
status:	New → Confirmed
tags:	added: area-library

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-12: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/409746

Changed in fuel:
assignee:	Fuel Sustaining (fuel-sustaining-team) → Oleksiy Molchanov (omolchanov)
status:	Confirmed → In Progress

Oleksiy Molchanov (omolchanov) on 2016-12-14

Changed in fuel:
assignee:	Oleksiy Molchanov (omolchanov) → Fuel Sustaining (fuel-sustaining-team)
status:	In Progress → Confirmed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-14: Change abandoned on fuel-library (master)

Change abandoned by Oleksiy Molchanov (<email address hidden>) on branch: master
Review: https://review.openstack.org/409746

Stanislaw Bogatkin (sbogatkin) on 2017-01-30

Changed in fuel:
assignee:	Fuel Sustaining (fuel-sustaining-team) → Stanislaw Bogatkin (sbogatkin)

Revision history for this message

Oleksiy Molchanov (omolchanov) wrote on 2017-10-09:

It looks like a feature and needs a lot of efforts and test coverage to implement this.

Also Fuel relies on part of the suggested parameters.

Closing as Invalid.

Changed in fuel:
status:	Confirmed → Invalid
status:	Invalid → Won't Fix

Revision history for this message

Oleksiy Molchanov (omolchanov) wrote on 2017-10-09:

Sorry, won't fix.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.