2017-03-03 10:35:29 |
Luke Hinds |
bug |
|
|
added bug |
2017-03-03 10:36:27 |
Luke Hinds |
description |
The following additions should be added to sysctl [1] to improve security and help meet security compliance standards.
* Disable Core Dumps for SUID programs
The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.
fs.suid_dumpable = 0
* Enable Randomized Layout of Virtual Address Space
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
kernel.randomize_va_space = 2
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.
* Restrict Access to Kernel Message Buffer
Unprivileged access to the kernel syslog can expose sensitive kernel address information.
To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command:
kernel.dmesg_restrict=1
network sysctl tweaks:
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Rationale:
An attacker could use a compromised host to send invalid ICMP redirects to other router
devices in an attempt to corrupt routing and have users access a system set up by the
attacker as opposed to a valid system.
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
Rationale:
Attackers could use bogus ICMP redirect messages to maliciously alter the system routing
tables and get them to send packets to incorrect networks and allow your system packets
to be captured.
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.log_martians = 1
Rationale:
Enabling this feature and logging these packets allows an administrator to investigate the
possibility that an attacker is sending spoofed packets to their system.
[1] https://github.com/openstack/tripleo-heat-templates/blob/1fcae324219a77d74fa12fb9eaac400a0658cac4/puppet/services/kernel.yaml |
The following additions should be added to sysctl [1] to improve security and help meet security compliance standards.
* Disable Core Dumps for SUID programs
The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.
fs.suid_dumpable = 0
* Enable Randomized Layout of Virtual Address Space
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
kernel.randomize_va_space = 2
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.
* Restrict Access to Kernel Message Buffer
Unprivileged access to the kernel syslog can expose sensitive kernel address information.
To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command:
kernel.dmesg_restrict=1
network sysctl tweaks:
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Rationale:
An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system.
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
Rationale:
Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured.
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.log_martians = 1
Rationale:
Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system.
[1] https://github.com/openstack/tripleo-heat-templates/blob/1fcae324219a77d74fa12fb9eaac400a0658cac4/puppet/services/kernel.yaml |
|
2017-03-03 10:38:05 |
Luke Hinds |
description |
The following additions should be added to sysctl [1] to improve security and help meet security compliance standards.
* Disable Core Dumps for SUID programs
The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.
fs.suid_dumpable = 0
* Enable Randomized Layout of Virtual Address Space
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
kernel.randomize_va_space = 2
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.
* Restrict Access to Kernel Message Buffer
Unprivileged access to the kernel syslog can expose sensitive kernel address information.
To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command:
kernel.dmesg_restrict=1
network sysctl tweaks:
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Rationale:
An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system.
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
Rationale:
Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured.
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.log_martians = 1
Rationale:
Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system.
[1] https://github.com/openstack/tripleo-heat-templates/blob/1fcae324219a77d74fa12fb9eaac400a0658cac4/puppet/services/kernel.yaml |
The following additions should be added to sysctl [1] to improve security and help meet security compliance standards.
* Disable Core Dumps for SUID programs
The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.
fs.suid_dumpable = 0
* Enable Randomized Layout of Virtual Address Space
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
kernel.randomize_va_space = 2
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.
* Restrict Access to Kernel Message Buffer
Unprivileged access to the kernel syslog can expose sensitive kernel address information.
To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command:
kernel.dmesg_restrict=1
network sysctl tweaks:
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Rationale:
An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system.
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
Rationale:
Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured.
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.log_martians = 1
Rationale:
Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system.
net.ipv6.conf.default.accept_redirects = 0
[1] https://github.com/openstack/tripleo-heat-templates/blob/1fcae324219a77d74fa12fb9eaac400a0658cac4/puppet/services/kernel.yaml |
|
2017-03-03 11:05:47 |
Luke Hinds |
description |
The following additions should be added to sysctl [1] to improve security and help meet security compliance standards.
* Disable Core Dumps for SUID programs
The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.
fs.suid_dumpable = 0
* Enable Randomized Layout of Virtual Address Space
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
kernel.randomize_va_space = 2
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.
* Restrict Access to Kernel Message Buffer
Unprivileged access to the kernel syslog can expose sensitive kernel address information.
To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command:
kernel.dmesg_restrict=1
network sysctl tweaks:
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Rationale:
An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system.
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
Rationale:
Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured.
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.log_martians = 1
Rationale:
Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system.
net.ipv6.conf.default.accept_redirects = 0
[1] https://github.com/openstack/tripleo-heat-templates/blob/1fcae324219a77d74fa12fb9eaac400a0658cac4/puppet/services/kernel.yaml |
The following additions should be added to sysctl [1] to improve security and help meet security compliance standards.
* Disable Core Dumps for SUID programs
fs.suid_dumpable = 0
Rationale: The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.
* Enable Randomized Layout of Virtual Address Space
kernel.randomize_va_space = 2
Rationale: Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.
* Restrict Access to Kernel Message Buffer
kernel.dmesg_restrict=1
Rationale: Unprivileged access to the kernel syslog can expose sensitive kernel address information.
* Network sysctl tweaks:
- Disable Kernel Parameter for Sending ICMP Redirects
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Rationale: An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system.
- Disable Kernel Parameter for Accepting ICMP Redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
Rationale: Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured.
- Disable Kernel Parameter for secure ICMP Redirects
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
Rationale: Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure.
- Enable Kernel Parameter to log suspicious packets by Default
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.log_martians = 1
Rationale: Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system.
- Ensure source routed packets are not accepted
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
Rationale: Setting net.ipv4.conf.all.accept_source_route and
net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice
versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing.
- Ensure broadcast ICMP requests are ignored
net.ipv4.icmp_echo_ignore_broadcasts = 1
Rationale: Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf
attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied.
- Ensure bogus ICMP responses are ignored
net.ipv4.icmp_ignore_bogus_error_responses = 1
Rationale: Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages.
Ensure Reverse Path Filtering is enabled
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
Rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols
(bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing.
- Ensure TCP SYN Cookies is enabled
net.ipv4.tcp_syncookies = 1
Rationale: Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack.
[1] https://github.com/openstack/tripleo-heat-templates/blob/1fcae324219a77d74fa12fb9eaac400a0658cac4/puppet/services/kernel.yaml |
|
2017-03-03 11:50:52 |
Luke Hinds |
description |
The following additions should be added to sysctl [1] to improve security and help meet security compliance standards.
* Disable Core Dumps for SUID programs
fs.suid_dumpable = 0
Rationale: The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.
* Enable Randomized Layout of Virtual Address Space
kernel.randomize_va_space = 2
Rationale: Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.
* Restrict Access to Kernel Message Buffer
kernel.dmesg_restrict=1
Rationale: Unprivileged access to the kernel syslog can expose sensitive kernel address information.
* Network sysctl tweaks:
- Disable Kernel Parameter for Sending ICMP Redirects
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Rationale: An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system.
- Disable Kernel Parameter for Accepting ICMP Redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
Rationale: Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured.
- Disable Kernel Parameter for secure ICMP Redirects
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
Rationale: Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure.
- Enable Kernel Parameter to log suspicious packets by Default
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.log_martians = 1
Rationale: Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system.
- Ensure source routed packets are not accepted
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
Rationale: Setting net.ipv4.conf.all.accept_source_route and
net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice
versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing.
- Ensure broadcast ICMP requests are ignored
net.ipv4.icmp_echo_ignore_broadcasts = 1
Rationale: Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf
attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied.
- Ensure bogus ICMP responses are ignored
net.ipv4.icmp_ignore_bogus_error_responses = 1
Rationale: Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages.
Ensure Reverse Path Filtering is enabled
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
Rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols
(bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing.
- Ensure TCP SYN Cookies is enabled
net.ipv4.tcp_syncookies = 1
Rationale: Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack.
[1] https://github.com/openstack/tripleo-heat-templates/blob/1fcae324219a77d74fa12fb9eaac400a0658cac4/puppet/services/kernel.yaml |
The following additions should be added to sysctl [1] to improve security and help meet security compliance standards.
* Disable Core Dumps for SUID programs
fs.suid_dumpable = 0
Rationale: The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.
* Enable Randomized Layout of Virtual Address Space
kernel.randomize_va_space = 2
Rationale: Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.
* Restrict Access to Kernel Message Buffer
kernel.dmesg_restrict=1
Rationale: Unprivileged access to the kernel syslog can expose sensitive kernel address information.
* Network sysctl tweaks:
- Disable Kernel Parameter for Sending ICMP Redirects
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Rationale: An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system.
- Disable Kernel Parameter for Accepting ICMP Redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
Rationale: Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured.
- Disable Kernel Parameter for secure ICMP Redirects
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
Rationale: Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure.
- Enable Kernel Parameter to log suspicious packets by Default
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.log_martians = 1
Rationale: Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system.
- Ensure source routed packets are not accepted
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
Rationale: Setting net.ipv4.conf.all.accept_source_route and
net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice
versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing.
- Ensure broadcast ICMP requests are ignored
net.ipv4.icmp_echo_ignore_broadcasts = 1
Rationale: Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf
attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied.
- Ensure bogus ICMP responses are ignored
net.ipv4.icmp_ignore_bogus_error_responses = 1
Rationale: Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages.
Ensure Reverse Path Filtering is enabled
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
Rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols
(bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing.
- Ensure TCP SYN Cookies is enabled
net.ipv4.tcp_syncookies = 1
Rationale: Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack.
- Ensure IPv6 redirects are not accepted by Default
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
Rationale: It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes.
- Disable Source-Routed Packets
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
Rationale: see ipv4 source-routed packets
- Ensure IPv6 is disabled
options ipv6 disable=1
Rationale: If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system.
[1] https://github.com/openstack/tripleo-heat-templates/blob/1fcae324219a77d74fa12fb9eaac400a0658cac4/puppet/services/kernel.yaml |
|
2017-04-11 10:56:45 |
Emilien Macchi |
tripleo: milestone |
pike-1 |
pike-2 |
|
2017-06-08 20:46:38 |
Emilien Macchi |
tripleo: milestone |
pike-2 |
pike-3 |
|
2017-07-30 04:38:20 |
Emilien Macchi |
tripleo: milestone |
pike-3 |
pike-rc1 |
|
2017-08-25 13:41:18 |
Emilien Macchi |
tripleo: milestone |
pike-rc1 |
pike-rc2 |
|
2017-09-05 18:32:52 |
Emilien Macchi |
tripleo: milestone |
pike-rc2 |
queens-1 |
|
2017-10-23 16:08:17 |
Emilien Macchi |
tripleo: milestone |
queens-1 |
queens-2 |
|
2017-12-05 00:05:16 |
Alex Schultz |
tripleo: milestone |
queens-2 |
queens-3 |
|
2018-01-03 18:18:26 |
Mike Fedosin |
tripleo: assignee |
|
Mike Fedosin (mfedosin) |
|
2018-01-04 18:22:57 |
OpenStack Infra |
tripleo: status |
Triaged |
In Progress |
|
2018-01-08 11:24:19 |
Bogdan Dobrelya |
tags |
security-hardening |
pike-backport-potential security-hardening |
|
2018-01-26 00:51:28 |
Emilien Macchi |
tripleo: milestone |
queens-3 |
queens-rc1 |
|
2018-03-02 20:15:55 |
Alex Schultz |
tripleo: milestone |
queens-rc1 |
rocky-1 |
|
2018-04-20 17:03:32 |
Alex Schultz |
tripleo: milestone |
rocky-1 |
rocky-2 |
|
2018-06-05 19:04:28 |
Emilien Macchi |
tripleo: milestone |
rocky-2 |
rocky-3 |
|
2018-07-26 13:42:24 |
Emilien Macchi |
tripleo: milestone |
rocky-3 |
rocky-rc1 |
|
2018-07-31 17:04:20 |
Alex Schultz |
tripleo: status |
In Progress |
Triaged |
|
2018-07-31 17:04:22 |
Alex Schultz |
tripleo: assignee |
Mike Fedosin (mfedosin) |
|
|
2018-08-14 14:58:32 |
Alex Schultz |
tripleo: milestone |
rocky-rc1 |
stein-1 |
|
2018-10-30 16:13:46 |
Juan Antonio Osorio Robles |
tripleo: milestone |
stein-1 |
stein-2 |
|
2018-12-29 23:57:11 |
Emilien Macchi |
tripleo: importance |
High |
Undecided |
|
2018-12-29 23:57:11 |
Emilien Macchi |
tripleo: status |
Triaged |
Expired |
|