scap-security-guide/scap-security-guide-0.1.63-remove_network_sysctl_rules-PR_9092.patch

201 lines
7.3 KiB
Diff
Raw Normal View History

From 2940804e45b98060428593218d352b0ff2d1e2bc Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 4 Jul 2022 13:52:01 +0200
Subject: [PATCH 1/7] RHEL9 OSPP: Drop rules w/o specific need aligned with
default value
Remove rules that just reenforce RHEL9 default without specific
OSPP requirement.
---
products/rhel9/profiles/ospp.profile | 8 --------
1 file changed, 8 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 534b3312575..6b57dcdeeb7 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -78,20 +78,12 @@ selections:
- sysctl_net_ipv4_conf_default_accept_redirects
- sysctl_net_ipv6_conf_all_accept_redirects
- sysctl_net_ipv6_conf_default_accept_redirects
- - sysctl_net_ipv4_conf_all_accept_source_route
- - sysctl_net_ipv4_conf_default_accept_source_route
- - sysctl_net_ipv6_conf_all_accept_source_route
- - sysctl_net_ipv6_conf_default_accept_source_route
- sysctl_net_ipv4_conf_all_secure_redirects
- sysctl_net_ipv4_conf_default_secure_redirects
- sysctl_net_ipv4_conf_all_send_redirects
- sysctl_net_ipv4_conf_default_send_redirects
- sysctl_net_ipv4_conf_all_log_martians
- sysctl_net_ipv4_conf_default_log_martians
- - sysctl_net_ipv4_conf_all_rp_filter
- - sysctl_net_ipv4_conf_default_rp_filter
- - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- sysctl_net_ipv4_ip_forward
- sysctl_net_ipv4_tcp_syncookies
From 4215e69c3264404b4f8597bb12536ddf9f95fe59 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 4 Jul 2022 13:58:24 +0200
Subject: [PATCH 2/7] RHEL9 OSPP: Drop rules affecting important funcionality
The TCP SYN cookikes rules may prevent some TCP options from working;
and without accepting Router Advertisements, ability of hosts to use
IPv6 becomes severely limited.
---
products/rhel9/profiles/ospp.profile | 3 ---
1 file changed, 3 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 6b57dcdeeb7..d0000be5041 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -72,8 +72,6 @@ selections:
- chronyd_client_only
### Network Settings
- - sysctl_net_ipv6_conf_all_accept_ra
- - sysctl_net_ipv6_conf_default_accept_ra
- sysctl_net_ipv4_conf_all_accept_redirects
- sysctl_net_ipv4_conf_default_accept_redirects
- sysctl_net_ipv6_conf_all_accept_redirects
@@ -85,7 +83,6 @@ selections:
- sysctl_net_ipv4_conf_all_log_martians
- sysctl_net_ipv4_conf_default_log_martians
- sysctl_net_ipv4_ip_forward
- - sysctl_net_ipv4_tcp_syncookies
### systemd
- disable_ctrlaltdel_reboot
From 10a621b7fc934a81080632159b61328e303f39cf Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 4 Jul 2022 14:01:41 +0200
Subject: [PATCH 3/7] RHEL9 OSPP: Drop rules changing default values not
related to OSPP
Removes rules that change RHEL9 default values but are not related to
any specific OSPP requirement
---
products/rhel9/profiles/ospp.profile | 4 ----
1 file changed, 4 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index d0000be5041..e9dbb8bc7bd 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -72,10 +72,6 @@ selections:
- chronyd_client_only
### Network Settings
- - sysctl_net_ipv4_conf_all_accept_redirects
- - sysctl_net_ipv4_conf_default_accept_redirects
- - sysctl_net_ipv6_conf_all_accept_redirects
- - sysctl_net_ipv6_conf_default_accept_redirects
- sysctl_net_ipv4_conf_all_secure_redirects
- sysctl_net_ipv4_conf_default_secure_redirects
- sysctl_net_ipv4_conf_all_send_redirects
From 1710015450a9b6780be2f5ed363c893d437f923d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 4 Jul 2022 14:03:53 +0200
Subject: [PATCH 4/7] RHEL9 OSPP: Drop send redirect rules that don't affect
the TOE
Remove rules that changes the default value but don't impact the
security of the TOE in any way.
---
products/rhel9/profiles/ospp.profile | 2 --
1 file changed, 2 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index e9dbb8bc7bd..159170d5ff9 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -74,8 +74,6 @@ selections:
### Network Settings
- sysctl_net_ipv4_conf_all_secure_redirects
- sysctl_net_ipv4_conf_default_secure_redirects
- - sysctl_net_ipv4_conf_all_send_redirects
- - sysctl_net_ipv4_conf_default_send_redirects
- sysctl_net_ipv4_conf_all_log_martians
- sysctl_net_ipv4_conf_default_log_martians
- sysctl_net_ipv4_ip_forward
From 6d4bc8ef333a361a9c1149be44fa0796f81fa7dc Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 4 Jul 2022 14:05:22 +0200
Subject: [PATCH 5/7] RHEL9 OSPP: Remove rules that affect secuity of TOE
Sysctl allows redirects only when they are considered secure.
---
products/rhel9/profiles/ospp.profile | 2 --
1 file changed, 2 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 159170d5ff9..771daed43e2 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -72,8 +72,6 @@ selections:
- chronyd_client_only
### Network Settings
- - sysctl_net_ipv4_conf_all_secure_redirects
- - sysctl_net_ipv4_conf_default_secure_redirects
- sysctl_net_ipv4_conf_all_log_martians
- sysctl_net_ipv4_conf_default_log_martians
- sysctl_net_ipv4_ip_forward
From 8e1bedea2fd0740ee7d25cb028af1d8031fc6710 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 4 Jul 2022 14:08:47 +0200
Subject: [PATCH 6/7] RHEL9 OSPP: Drop log martians rules
Remove rules that might help with detecting network issues but not
related to TOE security.
---
products/rhel9/profiles/ospp.profile | 2 --
1 file changed, 2 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 771daed43e2..58702502bf4 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -72,8 +72,6 @@ selections:
- chronyd_client_only
### Network Settings
- - sysctl_net_ipv4_conf_all_log_martians
- - sysctl_net_ipv4_conf_default_log_martians
- sysctl_net_ipv4_ip_forward
### systemd
From 7ffc1fb101edc8f29ace5c9e84d3f39e2a3cbfae Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 4 Jul 2022 14:09:57 +0200
Subject: [PATCH 7/7] RHEL9 OSPP: Drop rule preventing forwarding
Remove rule that prevents routing which is a valid use-case.
This is also needed for containerized and VM-hosting setups.
---
products/rhel9/profiles/ospp.profile | 3 ---
1 file changed, 3 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 58702502bf4..c9e944b32d2 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -71,9 +71,6 @@ selections:
# Time Server
- chronyd_client_only
- ### Network Settings
- - sysctl_net_ipv4_ip_forward
-
### systemd
- disable_ctrlaltdel_reboot
- disable_ctrlaltdel_burstaction