Disable martian logging by default

This patch disables martian packet logging and updates the documentation to reflect the new default. A release note is also included to make deployers aware of the change. Closes-bug: 1619039 Change-Id: I4b19aa1200298a92c85824e319bb919260e5a6d0
2016-08-31 15:54:48 -05:00 · 2016-08-31 15:54:48 -05:00 · e58ae245ad
parent 83dd342b19
commit e58ae245ad
4 changed files with 35 additions and 4 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -225,6 +225,7 @@ security_disable_icmpv6_redirects: no             # V-38548
 # ** DANGER **
 #
 security_sysctl_enable_tcp_syncookies: yes        # V-38539
+security_sysctl_enable_martian_logging: no        # V-38528
 #
 # Deployers who wish to disable IPv6 entirely must set this configuration
 # variable to 'yes'. See the documentation for V-38546 before making this
--- a/doc/source/stig-notes/V-38528_developer.rst
+++ b/doc/source/stig-notes/V-38528_developer.rst
@ -1,5 +1,22 @@
-The Ansible task in this role will ensure that martian packets are logged to
-rsyslog.  Wikpedia's article on `martian packets`_ provides additional
-information.
+**Exception**
+
+The STIG requires that all martian packets are logged by setting the sysctl
+parameter ``net.ipv4.conf.all.log_martians`` to ``1``.
+
+Although the logs can be valuable in some situations, the setting can generate
+a *significant* amount of logging in OpenStack environments, especially those
+that use neutron's Linux bridge networking. In some situations, the logging can
+flood the physical terminal and make troubleshooting at the console or via out
+of band (like iKVM, DRAC and iLO) **extremely difficult**.
+
+The role will ensure that martian packet logging is disabled by default.
+Deployers that need this logging enabled will need to set the following
+Ansible variable:
+
+.. code-block:: yaml
+
+   security_sysctl_enable_martian_logging: yes
+
+Wikpedia's article on `martian packets`_ provides additional information.

 .. _martian packets: https://en.wikipedia.org/wiki/Martian_packet
--- a/releasenotes/notes/configurable-martian-logging-370ede40b036db0b.yaml
+++ b/releasenotes/notes/configurable-martian-logging-370ede40b036db0b.yaml
@ -0,0 +1,13 @@
+---
+features:
+  - |
+    Although the STIG requires martian packets to be logged, the logging is
+    now disabled by default. The logs can quickly fill up a syslog server or
+    make a physical console unusable.
+
+    Deployers that need this logging enabled will need to set the following
+    Ansible variable:
+
+    .. code-block:: yaml
+
+       security_sysctl_enable_martian_logging: yes
--- a/tasks/kernel.yml
+++ b/tasks/kernel.yml
@ -16,7 +16,7 @@
 - name: V-38528 - The system must log martian packets
  sysctl:
    name: net.ipv4.conf.all.log_martians
-    value: 1
+    value: "{{ (security_sysctl_enable_martian_logging | bool) | ternary('1', '0') }}"
    state: present
    sysctl_set: yes
  tags: