openstack/ansible-hardening
Code Issues Proposed changes

Disable martian logging by default

Browse Source 
This patch disables martian packet logging and updates the
documentation to reflect the new default. A release note
is also included to make deployers aware of the change.

Closes-bug: 1619039
Change-Id: I4b19aa1200298a92c85824e319bb919260e5a6d0
This commit is contained in:
Major Hayden 2016-08-31 15:54:48 -05:00
parent 83dd342b19
commit e58ae245ad
4 changed files with 35 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
defaults/main.yml
View File

@ -225,6 +225,7 @@ security_disable_icmpv6_redirects: no # V-38548
# ** DANGER ** # ** DANGER **
# #
security_sysctl_enable_tcp_syncookies: yes # V-38539 security_sysctl_enable_tcp_syncookies: yes # V-38539
security_sysctl_enable_martian_logging: no # V-38528
# #
# Deployers who wish to disable IPv6 entirely must set this configuration # Deployers who wish to disable IPv6 entirely must set this configuration
# variable to 'yes'. See the documentation for V-38546 before making this # variable to 'yes'. See the documentation for V-38546 before making this

23
doc/source/stig-notes/V-38528_developer.rst
View File

@ -1,5 +1,22 @@
The Ansible task in this role will ensure that martian packets are logged to **Exception**
rsyslog. Wikpedia's article on `martian packets`_ provides additional
information. The STIG requires that all martian packets are logged by setting the sysctl
parameter ``net.ipv4.conf.all.log_martians`` to ``1``.
Although the logs can be valuable in some situations, the setting can generate
a *significant* amount of logging in OpenStack environments, especially those
that use neutron's Linux bridge networking. In some situations, the logging can
flood the physical terminal and make troubleshooting at the console or via out
of band (like iKVM, DRAC and iLO) **extremely difficult**.
The role will ensure that martian packet logging is disabled by default.
Deployers that need this logging enabled will need to set the following
Ansible variable:
.. code-block:: yaml
security_sysctl_enable_martian_logging: yes
Wikpedia's article on `martian packets`_ provides additional information.
.. _martian packets: https://en.wikipedia.org/wiki/Martian_packet .. _martian packets: https://en.wikipedia.org/wiki/Martian_packet

13
releasenotes/notes/configurable-martian-logging-370ede40b036db0b.yaml Normal file
View File

@ -0,0 +1,13 @@
---
features:
- |
Although the STIG requires martian packets to be logged, the logging is
now disabled by default. The logs can quickly fill up a syslog server or
make a physical console unusable.
Deployers that need this logging enabled will need to set the following
Ansible variable:
.. code-block:: yaml
security_sysctl_enable_martian_logging: yes

2
tasks/kernel.yml
View File

@ -16,7 +16,7 @@
- name: V-38528 - The system must log martian packets - name: V-38528 - The system must log martian packets
sysctl: sysctl:
name: net.ipv4.conf.all.log_martians name: net.ipv4.conf.all.log_martians
value: 1 value: "{{ (security_sysctl_enable_martian_logging | bool) | ternary('1', '0') }}"
state: present state: present
sysctl_set: yes sysctl_set: yes
tags: tags: