On 12/11/13, 12:10 PM, Steve Grubb wrote:
On Wednesday, December 11, 2013 04:55:39 PM Robert Sanders wrote:
>Morning again,
> While working a bit more on the sysctl issue with net.ipv4.ip_forward and
>net.ipv4.conf.all.accept_redirects found another interesting tidbit. My
>boxes are stock installs, which includes the libvirtd service as an enabled
>service. I noticed that my /etc/sysctl.conf file explicitly had
>'net.ipv4.ip_forward = 0', but the output of 'sysctl net.ipv4.ip_forward'
>shows a running value of '1'. This makes sense, as libvirtd I believe
>needs to be able to forward packets potentially between any virtual NICs on
>the system. My question - is there a STIG that requires this service to be
>disabled or not installed. If not, then RHEL-06-000082 will never be
>satisfied. Bear in mind, I'm still working from the published RHEL6 STIG,
>not the SSG document at this time.
In my opinion, there should be a STIG specifically for virtualization. For
example, you absolutely_must_ have the clean traffic ebtables rules loaded or
you have potential for all kinds of mischief.
-Steve
https://www.berrange.com/posts/2011/10/03/guest-mac-spoofing-denial-of-service-and-preventing-it-with-libvirt-and-kvm/
RHEL6 STIG is meant as a Server, not hypervisor. Feedback as the RHEL6
content is applied to a hypervisor would be most welcome; at some point
we'll make a stig-rhel6-kvm.
IIRC, DISA FSO was socializing a "Virtualizer SRG" a few months back. I
can't seem to find a copy via google, but recall conversations of having
RHEL6+KVM, RHEV-H, and OpenStack Nova follow those requirements.
I'm not sure how VMWare handled their ESXi STIG; I think they went
through the OS+Network+AppServer SRGs and cherry picked things. Red Hat
may do the same for our virt technologies until the Virtualizer SRG is out.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
