commit af730f9602bd9a81d1a22fa3bec80e63a661d534
author Dmitry Teselkin <dteselkin@mirantis.com> Thu Aug 16 11:29:55 2018 +0300
committer Dmitry Teselkin <dteselkin@mirantis.com> Tue Aug 21 10:29:33 2018 +0300
tree ac944a3eb0470ed55237243857aff1da3337e0ba
parent cf1b5b322a077dc8d6f9bf5b36a7a0a71a2b3a06

CIS compliance (sysctl, limits)

* CIS 1.5.1 Ensure core dumps are restricted
* CIS 1.5.3 Ensure address space layout randomization (ASLR) is enabled
* CIS 3.1.2 Ensure packet redirect sending is disabled
* CIS 3.2.1 Ensure source routed packets are not accepted
* CIS 3.2.2 Ensure ICMP redirects are not accepted
* CIS 3.2.3 Ensure secure ICMP redirects are not accepted
* CIS 3.2.4 Ensure suspicious packets are logged
* CIS 3.2.5 Ensure broadcast ICMP requests are ignored
* CIS 3.2.6 Ensure bogus ICMP responses are ignored
* CIS 3.2.7 Ensure Reverse Path Filtering is enabled
* CIS 3.2.8 Ensure TCP SYN Cookies is enabled

All sysctls are valid for Ubuntu 14.04, Ubuntu 16.04.

Change-Id: I48f34c55d97a78c253d4810db46b2a04ff5c0c1a

metadata/service/system/cis/cis-3-2-1.yml

diff --git a/metadata/service/system/cis/cis-3-2-1.yml b/metadata/service/system/cis/cis-3-2-1.yml
new file mode 100644
index 0000000..962e5e0
--- /dev/null
+++ b/metadata/service/system/cis/cis-3-2-1.yml
@@ -0,0 +1,56 @@
+# 3.2.1 Ensure source routed packets are not accepted
+#
+# Description
+# ===========
+# In networking, source routing allows a sender to partially or fully specify
+# the route packets take through a network. In contrast, non-source routed
+# packets travel a path determined by routers in the network. In some cases,
+# systems may not be routable or reachable from some locations (e.g. private
+# addresses vs. Internet routable), and so source routed packets would need
+# to be used.
+#
+# Rationale
+# =========
+# Setting `net.ipv4.conf.all.accept_source_route` and
+# `net.ipv4.conf.default.accept_source_route` to 0 disables the system from
+# accepting source routed packets. Assume this system was capable of routing
+# packets to Internet routable addresses on one interface and private addresses
+# on another interface. Assume that the private addresses were not routable to
+# the Internet routable addresses and vice versa. Under normal routing
+# circumstances, an attacker from the Internet routable addresses could not use
+# the system as a way to reach the private address systems. If, however, source
+# routed packets were allowed, they could be used to gain access to the private
+# address systems as the route could be specified, rather than rely on routing
+# protocols that did not allow this routing.
+#
+# Audit
+# =====
+#
+# Run the following commands and verify output matches:
+#
+#   # sysctl net.ipv4.conf.all.accept_source_route
+#   net.ipv4.conf.all.accept_source_route = 0
+#   # sysctl net.ipv4.conf.default.accept_source_route
+#   net.ipv4.conf.default.accept_source_route = 0
+#
+# Remediation
+# ===========
+#
+# Set the following parameters in the /etc/sysctl.conf file:
+#
+#   net.ipv4.conf.all.accept_source_route = 0
+#   net.ipv4.conf.default.accept_source_route = 0
+#
+# Run the following commands to set the active kernel parameters:
+#
+#   # sysctl -w net.ipv4.conf.all.accept_source_route=0
+#   # sysctl -w net.ipv4.conf.default.accept_source_route=0
+#   # sysctl -w net.ipv4.route.flush=1
+
+parameters:
+  linux:
+    system:
+      kernel:
+        sysctl:
+          net.ipv4.conf.all.accept_source_route: 0
+          net.ipv4.conf.default.accept_source_route: 0