201 lines
7.3 KiB
Diff
201 lines
7.3 KiB
Diff
|
From 2940804e45b98060428593218d352b0ff2d1e2bc Mon Sep 17 00:00:00 2001
|
||
|
From: Watson Sato <wsato@redhat.com>
|
||
|
Date: Mon, 4 Jul 2022 13:52:01 +0200
|
||
|
Subject: [PATCH 1/7] RHEL9 OSPP: Drop rules w/o specific need aligned with
|
||
|
default value
|
||
|
|
||
|
Remove rules that just reenforce RHEL9 default without specific
|
||
|
OSPP requirement.
|
||
|
---
|
||
|
products/rhel9/profiles/ospp.profile | 8 --------
|
||
|
1 file changed, 8 deletions(-)
|
||
|
|
||
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||
|
index 534b3312575..6b57dcdeeb7 100644
|
||
|
--- a/products/rhel9/profiles/ospp.profile
|
||
|
+++ b/products/rhel9/profiles/ospp.profile
|
||
|
@@ -78,20 +78,12 @@ selections:
|
||
|
- sysctl_net_ipv4_conf_default_accept_redirects
|
||
|
- sysctl_net_ipv6_conf_all_accept_redirects
|
||
|
- sysctl_net_ipv6_conf_default_accept_redirects
|
||
|
- - sysctl_net_ipv4_conf_all_accept_source_route
|
||
|
- - sysctl_net_ipv4_conf_default_accept_source_route
|
||
|
- - sysctl_net_ipv6_conf_all_accept_source_route
|
||
|
- - sysctl_net_ipv6_conf_default_accept_source_route
|
||
|
- sysctl_net_ipv4_conf_all_secure_redirects
|
||
|
- sysctl_net_ipv4_conf_default_secure_redirects
|
||
|
- sysctl_net_ipv4_conf_all_send_redirects
|
||
|
- sysctl_net_ipv4_conf_default_send_redirects
|
||
|
- sysctl_net_ipv4_conf_all_log_martians
|
||
|
- sysctl_net_ipv4_conf_default_log_martians
|
||
|
- - sysctl_net_ipv4_conf_all_rp_filter
|
||
|
- - sysctl_net_ipv4_conf_default_rp_filter
|
||
|
- - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
|
||
|
- - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
||
|
- sysctl_net_ipv4_ip_forward
|
||
|
- sysctl_net_ipv4_tcp_syncookies
|
||
|
|
||
|
|
||
|
From 4215e69c3264404b4f8597bb12536ddf9f95fe59 Mon Sep 17 00:00:00 2001
|
||
|
From: Watson Sato <wsato@redhat.com>
|
||
|
Date: Mon, 4 Jul 2022 13:58:24 +0200
|
||
|
Subject: [PATCH 2/7] RHEL9 OSPP: Drop rules affecting important funcionality
|
||
|
|
||
|
The TCP SYN cookikes rules may prevent some TCP options from working;
|
||
|
and without accepting Router Advertisements, ability of hosts to use
|
||
|
IPv6 becomes severely limited.
|
||
|
---
|
||
|
products/rhel9/profiles/ospp.profile | 3 ---
|
||
|
1 file changed, 3 deletions(-)
|
||
|
|
||
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||
|
index 6b57dcdeeb7..d0000be5041 100644
|
||
|
--- a/products/rhel9/profiles/ospp.profile
|
||
|
+++ b/products/rhel9/profiles/ospp.profile
|
||
|
@@ -72,8 +72,6 @@ selections:
|
||
|
- chronyd_client_only
|
||
|
|
||
|
### Network Settings
|
||
|
- - sysctl_net_ipv6_conf_all_accept_ra
|
||
|
- - sysctl_net_ipv6_conf_default_accept_ra
|
||
|
- sysctl_net_ipv4_conf_all_accept_redirects
|
||
|
- sysctl_net_ipv4_conf_default_accept_redirects
|
||
|
- sysctl_net_ipv6_conf_all_accept_redirects
|
||
|
@@ -85,7 +83,6 @@ selections:
|
||
|
- sysctl_net_ipv4_conf_all_log_martians
|
||
|
- sysctl_net_ipv4_conf_default_log_martians
|
||
|
- sysctl_net_ipv4_ip_forward
|
||
|
- - sysctl_net_ipv4_tcp_syncookies
|
||
|
|
||
|
### systemd
|
||
|
- disable_ctrlaltdel_reboot
|
||
|
|
||
|
From 10a621b7fc934a81080632159b61328e303f39cf Mon Sep 17 00:00:00 2001
|
||
|
From: Watson Sato <wsato@redhat.com>
|
||
|
Date: Mon, 4 Jul 2022 14:01:41 +0200
|
||
|
Subject: [PATCH 3/7] RHEL9 OSPP: Drop rules changing default values not
|
||
|
related to OSPP
|
||
|
|
||
|
Removes rules that change RHEL9 default values but are not related to
|
||
|
any specific OSPP requirement
|
||
|
---
|
||
|
products/rhel9/profiles/ospp.profile | 4 ----
|
||
|
1 file changed, 4 deletions(-)
|
||
|
|
||
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||
|
index d0000be5041..e9dbb8bc7bd 100644
|
||
|
--- a/products/rhel9/profiles/ospp.profile
|
||
|
+++ b/products/rhel9/profiles/ospp.profile
|
||
|
@@ -72,10 +72,6 @@ selections:
|
||
|
- chronyd_client_only
|
||
|
|
||
|
### Network Settings
|
||
|
- - sysctl_net_ipv4_conf_all_accept_redirects
|
||
|
- - sysctl_net_ipv4_conf_default_accept_redirects
|
||
|
- - sysctl_net_ipv6_conf_all_accept_redirects
|
||
|
- - sysctl_net_ipv6_conf_default_accept_redirects
|
||
|
- sysctl_net_ipv4_conf_all_secure_redirects
|
||
|
- sysctl_net_ipv4_conf_default_secure_redirects
|
||
|
- sysctl_net_ipv4_conf_all_send_redirects
|
||
|
|
||
|
From 1710015450a9b6780be2f5ed363c893d437f923d Mon Sep 17 00:00:00 2001
|
||
|
From: Watson Sato <wsato@redhat.com>
|
||
|
Date: Mon, 4 Jul 2022 14:03:53 +0200
|
||
|
Subject: [PATCH 4/7] RHEL9 OSPP: Drop send redirect rules that don't affect
|
||
|
the TOE
|
||
|
|
||
|
Remove rules that changes the default value but don't impact the
|
||
|
security of the TOE in any way.
|
||
|
---
|
||
|
products/rhel9/profiles/ospp.profile | 2 --
|
||
|
1 file changed, 2 deletions(-)
|
||
|
|
||
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||
|
index e9dbb8bc7bd..159170d5ff9 100644
|
||
|
--- a/products/rhel9/profiles/ospp.profile
|
||
|
+++ b/products/rhel9/profiles/ospp.profile
|
||
|
@@ -74,8 +74,6 @@ selections:
|
||
|
### Network Settings
|
||
|
- sysctl_net_ipv4_conf_all_secure_redirects
|
||
|
- sysctl_net_ipv4_conf_default_secure_redirects
|
||
|
- - sysctl_net_ipv4_conf_all_send_redirects
|
||
|
- - sysctl_net_ipv4_conf_default_send_redirects
|
||
|
- sysctl_net_ipv4_conf_all_log_martians
|
||
|
- sysctl_net_ipv4_conf_default_log_martians
|
||
|
- sysctl_net_ipv4_ip_forward
|
||
|
|
||
|
From 6d4bc8ef333a361a9c1149be44fa0796f81fa7dc Mon Sep 17 00:00:00 2001
|
||
|
From: Watson Sato <wsato@redhat.com>
|
||
|
Date: Mon, 4 Jul 2022 14:05:22 +0200
|
||
|
Subject: [PATCH 5/7] RHEL9 OSPP: Remove rules that affect secuity of TOE
|
||
|
|
||
|
Sysctl allows redirects only when they are considered secure.
|
||
|
---
|
||
|
products/rhel9/profiles/ospp.profile | 2 --
|
||
|
1 file changed, 2 deletions(-)
|
||
|
|
||
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||
|
index 159170d5ff9..771daed43e2 100644
|
||
|
--- a/products/rhel9/profiles/ospp.profile
|
||
|
+++ b/products/rhel9/profiles/ospp.profile
|
||
|
@@ -72,8 +72,6 @@ selections:
|
||
|
- chronyd_client_only
|
||
|
|
||
|
### Network Settings
|
||
|
- - sysctl_net_ipv4_conf_all_secure_redirects
|
||
|
- - sysctl_net_ipv4_conf_default_secure_redirects
|
||
|
- sysctl_net_ipv4_conf_all_log_martians
|
||
|
- sysctl_net_ipv4_conf_default_log_martians
|
||
|
- sysctl_net_ipv4_ip_forward
|
||
|
|
||
|
From 8e1bedea2fd0740ee7d25cb028af1d8031fc6710 Mon Sep 17 00:00:00 2001
|
||
|
From: Watson Sato <wsato@redhat.com>
|
||
|
Date: Mon, 4 Jul 2022 14:08:47 +0200
|
||
|
Subject: [PATCH 6/7] RHEL9 OSPP: Drop log martians rules
|
||
|
|
||
|
Remove rules that might help with detecting network issues but not
|
||
|
related to TOE security.
|
||
|
---
|
||
|
products/rhel9/profiles/ospp.profile | 2 --
|
||
|
1 file changed, 2 deletions(-)
|
||
|
|
||
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||
|
index 771daed43e2..58702502bf4 100644
|
||
|
--- a/products/rhel9/profiles/ospp.profile
|
||
|
+++ b/products/rhel9/profiles/ospp.profile
|
||
|
@@ -72,8 +72,6 @@ selections:
|
||
|
- chronyd_client_only
|
||
|
|
||
|
### Network Settings
|
||
|
- - sysctl_net_ipv4_conf_all_log_martians
|
||
|
- - sysctl_net_ipv4_conf_default_log_martians
|
||
|
- sysctl_net_ipv4_ip_forward
|
||
|
|
||
|
### systemd
|
||
|
|
||
|
From 7ffc1fb101edc8f29ace5c9e84d3f39e2a3cbfae Mon Sep 17 00:00:00 2001
|
||
|
From: Watson Sato <wsato@redhat.com>
|
||
|
Date: Mon, 4 Jul 2022 14:09:57 +0200
|
||
|
Subject: [PATCH 7/7] RHEL9 OSPP: Drop rule preventing forwarding
|
||
|
|
||
|
Remove rule that prevents routing which is a valid use-case.
|
||
|
This is also needed for containerized and VM-hosting setups.
|
||
|
---
|
||
|
products/rhel9/profiles/ospp.profile | 3 ---
|
||
|
1 file changed, 3 deletions(-)
|
||
|
|
||
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||
|
index 58702502bf4..c9e944b32d2 100644
|
||
|
--- a/products/rhel9/profiles/ospp.profile
|
||
|
+++ b/products/rhel9/profiles/ospp.profile
|
||
|
@@ -71,9 +71,6 @@ selections:
|
||
|
# Time Server
|
||
|
- chronyd_client_only
|
||
|
|
||
|
- ### Network Settings
|
||
|
- - sysctl_net_ipv4_ip_forward
|
||
|
-
|
||
|
### systemd
|
||
|
- disable_ctrlaltdel_reboot
|
||
|
- disable_ctrlaltdel_burstaction
|