kernel - Kernel parameters

The Linux kernel has many parameters that can improve overall system security and most of these parameters can be changed while a system is running.

Overview

The security role applies several changes to kernel parameters and each of these changes are controlled by Ansible variables. Review the ## Kernel settings section within defaults/main.yml file for more information on these changes.

One deviation appears in this section for IP forwarding. Review the documentation for V-72309 below for more details.

STIG requirements

All of the tasks for these STIG requirements are included in tasks/rhel7stig/kernel.yml.

V-71983

  • Summary: USB mass storage must be disabled.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

The tasks in the security role disable the usb-storage module and the change is applied the next time the server is rebooted.

Deployers can opt out of this change by setting the following Ansible variable:

security_rhel7_disable_usb_storage: no

V-72057

  • Summary: Kernel core dumps must be disabled unless needed.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The kdump service is disabled if it exists on the system. Deployers can opt out of this change by setting the following Ansible variable:

security_disable_kdump: no

V-72283

  • Summary: The system must not forward Internet Protocol version 4 (IPv4) source-routed packets.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks in this role set net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 by default. This prevents the system from forwarding source-routed IPv4 packets on all new and existing interfaces.

Deployers can opt out of this change by setting the following Ansible variable:

security_disallow_source_routed_packet_forward_ipv4: no

For more details on source routed packets, refer to the Red Hat documentation.

V-72285

  • Summary: The system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

This control is implemented by the tasks for another control:

V-72287

  • Summary: The system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks in this role set net.ipv4.icmp_echo_ignore_broadcasts to 1 by default. This prevents the system from responding to IPv4 ICMP echoes sent to the broadcast address.

Deployers can opt out of this change by setting the following Ansible variable:

security_disallow_echoes_broadcast_address: no

V-72291

  • Summary: The system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks in this role set net.ipv4.conf.default.send_redirects and net.ipv4.conf.all.send_redirects to 0 by default. This prevents a system from sending IPv4 ICMP redirect packets on all new and existing interfaces.

Deployers can opt out of this change by setting the following Ansible variable:

security_disallow_icmp_redirects: no

V-72293

  • Summary: The system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.

  • Severity: Medium

  • Implementation Status: Implemented

V-72309

  • Summary: The system must not be performing packet forwarding unless the system is a router.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

Disabling IP forwarding on a system that routes packets or host virtual machines might cause network interruptions. The tasks in this role do not adjust the net.ipv4.ip_forward configuration by default.

Deployers can opt in for this change and disable IP forwarding by setting the following Ansible variable:

security_disallow_ip_forwarding: yes

Warning

IP forwarding is required in some environments. Always test in a non-production environment before changing this setting on a production system.

V-72319

  • Summary: The system must not forward IPv6 source-routed packets.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks in this role set net.ipv6.conf.all.accept_source_route to 0 by default. This prevents the system from forwarding source-routed IPv6 packets.

Deployers can opt out of this change by setting the following Ansible variable:

security_disallow_source_routed_packet_forward_ipv6: no

Refer to “IPv6 source routing: history repeats itself” for more details on IPv6 source routed packets.

V-73175

  • Summary: The system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

This control is implemented by the tasks for another control:

V-77821

  • Summary: The Datagram Congestion Control Protocol (DCCP) kernel module must be disabled unless required.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The ansible-hardening role disables the DCCP kernel module by default. Each system must be rebooted to fully apply the change.

Deployers can opt out of the change by setting the following Ansible variable:

security_rhel7_disable_dccp: no

V-77825

  • Summary: The operating system must implement virtual address space randomization.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

Most modern systems enable Address Space Layout Randomization (ASLR) by default (with a setting of 2), and the role ensures that the secure default is maintained.

Deployers can opt out of the change by setting the following Ansible variable:

security_enable_aslr: no

For more details on the ASLR settings, review the sysctl documentation.