On Wednesday, December 11, 2013 04:55:39 PM Robert Sanders wrote: > Morning again, > While working a bit more on the sysctl issue with net.ipv4.ip_forward and > net.ipv4.conf.all.accept_redirects found another interesting tidbit. My > boxes are stock installs, which includes the libvirtd service as an enabled > service. I noticed that my /etc/sysctl.conf file explicitly had > 'net.ipv4.ip_forward = 0', but the output of 'sysctl net.ipv4.ip_forward' > shows a running value of '1'. This makes sense, as libvirtd I believe > needs to be able to forward packets potentially between any virtual NICs on > the system. My question - is there a STIG that requires this service to be > disabled or not installed. If not, then RHEL-06-000082 will never be > satisfied. Bear in mind, I'm still working from the published RHEL6 STIG, > not the SSG document at this time.
In my opinion, there should be a STIG specifically for virtualization. For example, you absolutely _must_ have the clean traffic ebtables rules loaded or you have potential for all kinds of mischief. -Steve https://www.berrange.com/posts/2011/10/03/guest-mac-spoofing-denial-of-service-and-preventing-it-with-libvirt-and-kvm/ _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
