Add Additional sysctl values for security
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Expired
|
Undecided
|
Unassigned |
Bug Description
The following additions should be added to sysctl [1] to improve security and help meet security compliance standards.
* Disable Core Dumps for SUID programs
fs.
Rationale: The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.
* Enable Randomized Layout of Virtual Address Space
kernel.
Rationale: Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.
* Restrict Access to Kernel Message Buffer
kernel.
Rationale: Unprivileged access to the kernel syslog can expose sensitive kernel address information.
* Network sysctl tweaks:
- Disable Kernel Parameter for Sending ICMP Redirects
net.
net.
Rationale: An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system.
- Disable Kernel Parameter for Accepting ICMP Redirects
net.
net.
Rationale: Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured.
- Disable Kernel Parameter for secure ICMP Redirects
net.
net.
Rationale: Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure.
- Enable Kernel Parameter to log suspicious packets by Default
net.
net.
Rationale: Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system.
- Ensure source routed packets are not accepted
net.ipv4.
net.ipv4.
Rationale: Setting net.ipv4.
net.ipv4.
versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing.
- Ensure broadcast ICMP requests are ignored
net.ipv4.
Rationale: Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf
attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied.
- Ensure bogus ICMP responses are ignored
net.ipv4.
Rationale: Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages.
Ensure Reverse Path Filtering is enabled
net.ipv4.
net.ipv4.
Rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols
(bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing.
- Ensure TCP SYN Cookies is enabled
net.ipv4.
Rationale: Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack.
- Ensure IPv6 redirects are not accepted by Default
net.ipv6.
net.ipv6.
Rationale: It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes.
- Disable Source-Routed Packets
net.ipv6.
net.ipv6.
Rationale: see ipv4 source-routed packets
- Ensure IPv6 is disabled
options ipv6 disable=1
Rationale: If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system.
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in tripleo: | |
milestone: | pike-1 → pike-2 |
Changed in tripleo: | |
milestone: | pike-2 → pike-3 |
Changed in tripleo: | |
milestone: | pike-3 → pike-rc1 |
Changed in tripleo: | |
milestone: | pike-rc1 → pike-rc2 |
Changed in tripleo: | |
milestone: | pike-rc2 → queens-1 |
Changed in tripleo: | |
milestone: | queens-1 → queens-2 |
Changed in tripleo: | |
milestone: | queens-2 → queens-3 |
Changed in tripleo: | |
assignee: | nobody → Mike Fedosin (mfedosin) |
tags: | added: pike-backport-potential |
Changed in tripleo: | |
milestone: | queens-3 → queens-rc1 |
Changed in tripleo: | |
milestone: | queens-rc1 → rocky-1 |
Changed in tripleo: | |
milestone: | rocky-1 → rocky-2 |
Changed in tripleo: | |
milestone: | rocky-2 → rocky-3 |
Changed in tripleo: | |
milestone: | rocky-3 → rocky-rc1 |
Changed in tripleo: | |
status: | In Progress → Triaged |
assignee: | Mike Fedosin (mfedosin) → nobody |
Changed in tripleo: | |
milestone: | rocky-rc1 → stein-1 |
Changed in tripleo: | |
milestone: | stein-1 → stein-2 |
Just an FYI but there's a problem with disabling ipv6 and wanting to set net.ipv6.* options. If you disable ipv6, the sysctl module fails because the ipv6 options are not available to be changed. We've run into this on the undercloud. So we'll probably want to make ipv6 configurable and only set those options if ipv6 is enabled.