tripleo-heat-templates/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml
zshi 7268d1ae14 Add network sysctl tweaks for security
* Disable Kernel Parameter for Sending ICMP Redirects:
    - net.ipv4.conf.default.send_redirects = 0
    - net.ipv4.conf.all.send_redirects = 0

    Rationale: An attacker could use a compromised host
    to send invalid ICMP redirects to other router devices
    in an attempt to corrupt routing and have users access
    a system set up by the attacker as opposed to a valid
    system.

* Disable Kernel Parameter for Accepting ICMP Redirects:
    - net.ipv4.conf.default.accept_redirects = 0

    Rationale: Attackers could use bogus ICMP redirect
    messages to maliciously alter the system routing tables
    and get them to send packets to incorrect networks and
    allow your system packets to be captured.

* Disable Kernel Parameter for secure ICMP Redirects:
    - net.ipv4.conf.default.secure_redirects = 0
    - net.ipv4.conf.all.secure_redirects = 0

    Rationale: Secure ICMP redirects are the same as ICMP
    redirects, except they come from gateways listed on
    the default gateway list. It is assumed that these
    gateways are known to your system, and that they are
    likely to be secure.

* Enable Kernel Parameter to log suspicious packets:
    - net.ipv4.conf.default.log_martians = 1
    - net.ipv4.conf.all.log_martians = 1

    Rationale: Enabling this feature and logging these packets
    allows an administrator to investigate the possibility
    that an attacker is sending spoofed packets to their system.

* Ensure IPv6 redirects are not accepted by Default
    - net.ipv6.conf.all.accept_redirects = 0
    - net.ipv6.conf.default.accept_redirects = 0

    Rationale: It is recommended that systems not accept ICMP
    redirects as they could be tricked into routing traffic to
    compromised machines. Setting hard routes within the system
    (usually a single default route to a trusted router) protects
    the system from bad routes.

Change-Id: I2e8ab3141ee37ee6dd5a23d23dbb97c93610ea2e
Co-Authored-By: Luke Hinds <lhinds@redhat.com>
Signed-off-by: zshi <zshi@redhat.com>
2017-03-29 16:34:29 +08:00

10 lines
292 B
YAML

---
upgrade:
- |
The net.ipv4.conf.default.log_martians & net.ipv4.conf.all.log_martians are
now set to 1 to enable logging of suspicious packets.
security:
- |
Logging of suspicious packets allows an administrator to investigate the
spoofed packets sent to their system.