remove network-related sysctl rules from rhel9 ospp

Resolves:rhbz#2081708
2022-07-18 10:49:34 +02:00 · 2022-07-18 10:49:34 +02:00 · 71a4d79910
commit 71a4d79910
parent 3c0a847089
2 changed files with 202 additions and 0 deletions
--- a/scap-security-guide-0.1.63-remove_network_sysctl_rules-PR_9092.patch
+++ b/scap-security-guide-0.1.63-remove_network_sysctl_rules-PR_9092.patch
@ -0,0 +1,200 @@
+From 2940804e45b98060428593218d352b0ff2d1e2bc Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 4 Jul 2022 13:52:01 +0200
+Subject: [PATCH 1/7] RHEL9 OSPP: Drop rules w/o specific need aligned with
+ default value
+
+Remove rules that just reenforce RHEL9 default without specific
+OSPP requirement.
+---
+ products/rhel9/profiles/ospp.profile | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index 534b3312575..6b57dcdeeb7 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -78,20 +78,12 @@ selections:
+     - sysctl_net_ipv4_conf_default_accept_redirects
+     - sysctl_net_ipv6_conf_all_accept_redirects
+     - sysctl_net_ipv6_conf_default_accept_redirects
+-    - sysctl_net_ipv4_conf_all_accept_source_route
+-    - sysctl_net_ipv4_conf_default_accept_source_route
+-    - sysctl_net_ipv6_conf_all_accept_source_route
+-    - sysctl_net_ipv6_conf_default_accept_source_route
+     - sysctl_net_ipv4_conf_all_secure_redirects
+     - sysctl_net_ipv4_conf_default_secure_redirects
+     - sysctl_net_ipv4_conf_all_send_redirects
+     - sysctl_net_ipv4_conf_default_send_redirects
+     - sysctl_net_ipv4_conf_all_log_martians
+     - sysctl_net_ipv4_conf_default_log_martians
+-    - sysctl_net_ipv4_conf_all_rp_filter
+-    - sysctl_net_ipv4_conf_default_rp_filter
+-    - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+-    - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+     - sysctl_net_ipv4_ip_forward
+     - sysctl_net_ipv4_tcp_syncookies
+ 
+
+From 4215e69c3264404b4f8597bb12536ddf9f95fe59 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 4 Jul 2022 13:58:24 +0200
+Subject: [PATCH 2/7] RHEL9 OSPP: Drop rules affecting important funcionality
+
+The TCP SYN cookikes rules may prevent some TCP options from working;
+and without accepting Router Advertisements, ability of hosts to use
+IPv6 becomes severely limited.
+---
+ products/rhel9/profiles/ospp.profile | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index 6b57dcdeeb7..d0000be5041 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -72,8 +72,6 @@ selections:
+     - chronyd_client_only
+ 
+     ### Network Settings
+-    - sysctl_net_ipv6_conf_all_accept_ra
+-    - sysctl_net_ipv6_conf_default_accept_ra
+     - sysctl_net_ipv4_conf_all_accept_redirects
+     - sysctl_net_ipv4_conf_default_accept_redirects
+     - sysctl_net_ipv6_conf_all_accept_redirects
+@@ -85,7 +83,6 @@ selections:
+     - sysctl_net_ipv4_conf_all_log_martians
+     - sysctl_net_ipv4_conf_default_log_martians
+     - sysctl_net_ipv4_ip_forward
+-    - sysctl_net_ipv4_tcp_syncookies
+ 
+     ### systemd
+     - disable_ctrlaltdel_reboot
+
+From 10a621b7fc934a81080632159b61328e303f39cf Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 4 Jul 2022 14:01:41 +0200
+Subject: [PATCH 3/7] RHEL9 OSPP: Drop rules changing default values not
+ related to OSPP
+
+Removes rules that change RHEL9 default values but are not related to
+any specific OSPP requirement
+---
+ products/rhel9/profiles/ospp.profile | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index d0000be5041..e9dbb8bc7bd 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -72,10 +72,6 @@ selections:
+     - chronyd_client_only
+ 
+     ### Network Settings
+-    - sysctl_net_ipv4_conf_all_accept_redirects
+-    - sysctl_net_ipv4_conf_default_accept_redirects
+-    - sysctl_net_ipv6_conf_all_accept_redirects
+-    - sysctl_net_ipv6_conf_default_accept_redirects
+     - sysctl_net_ipv4_conf_all_secure_redirects
+     - sysctl_net_ipv4_conf_default_secure_redirects
+     - sysctl_net_ipv4_conf_all_send_redirects
+
+From 1710015450a9b6780be2f5ed363c893d437f923d Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 4 Jul 2022 14:03:53 +0200
+Subject: [PATCH 4/7] RHEL9 OSPP: Drop send redirect rules that don't affect
+ the TOE
+
+Remove rules that changes the default value but don't impact the
+security of the TOE in any way.
+---
+ products/rhel9/profiles/ospp.profile | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index e9dbb8bc7bd..159170d5ff9 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -74,8 +74,6 @@ selections:
+     ### Network Settings
+     - sysctl_net_ipv4_conf_all_secure_redirects
+     - sysctl_net_ipv4_conf_default_secure_redirects
+-    - sysctl_net_ipv4_conf_all_send_redirects
+-    - sysctl_net_ipv4_conf_default_send_redirects
+     - sysctl_net_ipv4_conf_all_log_martians
+     - sysctl_net_ipv4_conf_default_log_martians
+     - sysctl_net_ipv4_ip_forward
+
+From 6d4bc8ef333a361a9c1149be44fa0796f81fa7dc Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 4 Jul 2022 14:05:22 +0200
+Subject: [PATCH 5/7] RHEL9 OSPP: Remove rules that affect secuity of TOE
+
+Sysctl allows redirects only when they are considered secure.
+---
+ products/rhel9/profiles/ospp.profile | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index 159170d5ff9..771daed43e2 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -72,8 +72,6 @@ selections:
+     - chronyd_client_only
+ 
+     ### Network Settings
+-    - sysctl_net_ipv4_conf_all_secure_redirects
+-    - sysctl_net_ipv4_conf_default_secure_redirects
+     - sysctl_net_ipv4_conf_all_log_martians
+     - sysctl_net_ipv4_conf_default_log_martians
+     - sysctl_net_ipv4_ip_forward
+
+From 8e1bedea2fd0740ee7d25cb028af1d8031fc6710 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 4 Jul 2022 14:08:47 +0200
+Subject: [PATCH 6/7] RHEL9 OSPP: Drop log martians rules
+
+Remove rules that might help with detecting network issues but not
+related to TOE security.
+---
+ products/rhel9/profiles/ospp.profile | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index 771daed43e2..58702502bf4 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -72,8 +72,6 @@ selections:
+     - chronyd_client_only
+ 
+     ### Network Settings
+-    - sysctl_net_ipv4_conf_all_log_martians
+-    - sysctl_net_ipv4_conf_default_log_martians
+     - sysctl_net_ipv4_ip_forward
+ 
+     ### systemd
+
+From 7ffc1fb101edc8f29ace5c9e84d3f39e2a3cbfae Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 4 Jul 2022 14:09:57 +0200
+Subject: [PATCH 7/7] RHEL9 OSPP: Drop rule preventing forwarding
+
+Remove rule that prevents routing which is a valid use-case.
+This is also needed for containerized and VM-hosting setups.
+---
+ products/rhel9/profiles/ospp.profile | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
+index 58702502bf4..c9e944b32d2 100644
+--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
+@@ -71,9 +71,6 @@ selections:
+     # Time Server
+     - chronyd_client_only
+ 
+-    ### Network Settings
+-    - sysctl_net_ipv4_ip_forward
+-
+     ### systemd
+     - disable_ctrlaltdel_reboot
+     - disable_ctrlaltdel_burstaction
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@ -28,6 +28,7 @@ Patch0:                scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rule
 Patch1:                scap-security-guide-0.1.63-audit_access_success_unenforcing-PR_9082.patch
 Patch2:                scap-security-guide-0.1.63-drop_zipl_vsyscall_argument-PR_9083.patch
 Patch3:                scap-security-guide-0.1.63-sysctl_user_max_user_namespaces_enforce_in_ospp-PR_9084.patch
+Patch4:                scap-security-guide-0.1.63-remove_network_sysctl_rules-PR_9092.patch

 %description
 The scap-security-guide project provides a guide for configuration of the
@ -108,6 +109,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 - Make rule audit_access_success_ unenforcing in RHEL9 OSPP (RHBZ#2058154)
 - Drop zipl_vsyscall_argument rule from RHEL9 OSPP profile (RHBZ#2060049)
 - make sysctl_user_max_user_namespaces in RHEL9 OSPP (RHBZ#2083716)
+- Remove some sysctl rules  related to network from RHEL9 OSPP (RHBZ#2081708)

 * Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
 - Rebase to a new upstream release (RHBZ#2070563)