From 2940804e45b98060428593218d352b0ff2d1e2bc Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 4 Jul 2022 13:52:01 +0200 Subject: [PATCH 1/7] RHEL9 OSPP: Drop rules w/o specific need aligned with default value Remove rules that just reenforce RHEL9 default without specific OSPP requirement. --- products/rhel9/profiles/ospp.profile | 8 -------- 1 file changed, 8 deletions(-) diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile index 534b3312575..6b57dcdeeb7 100644 --- a/products/rhel9/profiles/ospp.profile +++ b/products/rhel9/profiles/ospp.profile @@ -78,20 +78,12 @@ selections: - sysctl_net_ipv4_conf_default_accept_redirects - sysctl_net_ipv6_conf_all_accept_redirects - sysctl_net_ipv6_conf_default_accept_redirects - - sysctl_net_ipv4_conf_all_accept_source_route - - sysctl_net_ipv4_conf_default_accept_source_route - - sysctl_net_ipv6_conf_all_accept_source_route - - sysctl_net_ipv6_conf_default_accept_source_route - sysctl_net_ipv4_conf_all_secure_redirects - sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_conf_all_send_redirects - sysctl_net_ipv4_conf_default_send_redirects - sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_conf_default_log_martians - - sysctl_net_ipv4_conf_all_rp_filter - - sysctl_net_ipv4_conf_default_rp_filter - - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - sysctl_net_ipv4_ip_forward - sysctl_net_ipv4_tcp_syncookies From 4215e69c3264404b4f8597bb12536ddf9f95fe59 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 4 Jul 2022 13:58:24 +0200 Subject: [PATCH 2/7] RHEL9 OSPP: Drop rules affecting important funcionality The TCP SYN cookikes rules may prevent some TCP options from working; and without accepting Router Advertisements, ability of hosts to use IPv6 becomes severely limited. --- products/rhel9/profiles/ospp.profile | 3 --- 1 file changed, 3 deletions(-) diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile index 6b57dcdeeb7..d0000be5041 100644 --- a/products/rhel9/profiles/ospp.profile +++ b/products/rhel9/profiles/ospp.profile @@ -72,8 +72,6 @@ selections: - chronyd_client_only ### Network Settings - - sysctl_net_ipv6_conf_all_accept_ra - - sysctl_net_ipv6_conf_default_accept_ra - sysctl_net_ipv4_conf_all_accept_redirects - sysctl_net_ipv4_conf_default_accept_redirects - sysctl_net_ipv6_conf_all_accept_redirects @@ -85,7 +83,6 @@ selections: - sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_conf_default_log_martians - sysctl_net_ipv4_ip_forward - - sysctl_net_ipv4_tcp_syncookies ### systemd - disable_ctrlaltdel_reboot From 10a621b7fc934a81080632159b61328e303f39cf Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 4 Jul 2022 14:01:41 +0200 Subject: [PATCH 3/7] RHEL9 OSPP: Drop rules changing default values not related to OSPP Removes rules that change RHEL9 default values but are not related to any specific OSPP requirement --- products/rhel9/profiles/ospp.profile | 4 ---- 1 file changed, 4 deletions(-) diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile index d0000be5041..e9dbb8bc7bd 100644 --- a/products/rhel9/profiles/ospp.profile +++ b/products/rhel9/profiles/ospp.profile @@ -72,10 +72,6 @@ selections: - chronyd_client_only ### Network Settings - - sysctl_net_ipv4_conf_all_accept_redirects - - sysctl_net_ipv4_conf_default_accept_redirects - - sysctl_net_ipv6_conf_all_accept_redirects - - sysctl_net_ipv6_conf_default_accept_redirects - sysctl_net_ipv4_conf_all_secure_redirects - sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_conf_all_send_redirects From 1710015450a9b6780be2f5ed363c893d437f923d Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 4 Jul 2022 14:03:53 +0200 Subject: [PATCH 4/7] RHEL9 OSPP: Drop send redirect rules that don't affect the TOE Remove rules that changes the default value but don't impact the security of the TOE in any way. --- products/rhel9/profiles/ospp.profile | 2 -- 1 file changed, 2 deletions(-) diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile index e9dbb8bc7bd..159170d5ff9 100644 --- a/products/rhel9/profiles/ospp.profile +++ b/products/rhel9/profiles/ospp.profile @@ -74,8 +74,6 @@ selections: ### Network Settings - sysctl_net_ipv4_conf_all_secure_redirects - sysctl_net_ipv4_conf_default_secure_redirects - - sysctl_net_ipv4_conf_all_send_redirects - - sysctl_net_ipv4_conf_default_send_redirects - sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_conf_default_log_martians - sysctl_net_ipv4_ip_forward From 6d4bc8ef333a361a9c1149be44fa0796f81fa7dc Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 4 Jul 2022 14:05:22 +0200 Subject: [PATCH 5/7] RHEL9 OSPP: Remove rules that affect secuity of TOE Sysctl allows redirects only when they are considered secure. --- products/rhel9/profiles/ospp.profile | 2 -- 1 file changed, 2 deletions(-) diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile index 159170d5ff9..771daed43e2 100644 --- a/products/rhel9/profiles/ospp.profile +++ b/products/rhel9/profiles/ospp.profile @@ -72,8 +72,6 @@ selections: - chronyd_client_only ### Network Settings - - sysctl_net_ipv4_conf_all_secure_redirects - - sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_conf_default_log_martians - sysctl_net_ipv4_ip_forward From 8e1bedea2fd0740ee7d25cb028af1d8031fc6710 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 4 Jul 2022 14:08:47 +0200 Subject: [PATCH 6/7] RHEL9 OSPP: Drop log martians rules Remove rules that might help with detecting network issues but not related to TOE security. --- products/rhel9/profiles/ospp.profile | 2 -- 1 file changed, 2 deletions(-) diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile index 771daed43e2..58702502bf4 100644 --- a/products/rhel9/profiles/ospp.profile +++ b/products/rhel9/profiles/ospp.profile @@ -72,8 +72,6 @@ selections: - chronyd_client_only ### Network Settings - - sysctl_net_ipv4_conf_all_log_martians - - sysctl_net_ipv4_conf_default_log_martians - sysctl_net_ipv4_ip_forward ### systemd From 7ffc1fb101edc8f29ace5c9e84d3f39e2a3cbfae Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 4 Jul 2022 14:09:57 +0200 Subject: [PATCH 7/7] RHEL9 OSPP: Drop rule preventing forwarding Remove rule that prevents routing which is a valid use-case. This is also needed for containerized and VM-hosting setups. --- products/rhel9/profiles/ospp.profile | 3 --- 1 file changed, 3 deletions(-) diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile index 58702502bf4..c9e944b32d2 100644 --- a/products/rhel9/profiles/ospp.profile +++ b/products/rhel9/profiles/ospp.profile @@ -71,9 +71,6 @@ selections: # Time Server - chronyd_client_only - ### Network Settings - - sysctl_net_ipv4_ip_forward - ### systemd - disable_ctrlaltdel_reboot - disable_ctrlaltdel_burstaction