Shawn, Makes sense, however with libvirtd able to be installed 'out-of-the-box', I'd submit that a line item requiring it to be off (a la other 'services') would be appropriate - especially if a quasi-default install option breaks required items in the STIG.
-Rob ________________________________________ From: [email protected] [[email protected]] on behalf of Shawn Wells [[email protected]] Sent: Wednesday, December 11, 2013 10:31 PM To: [email protected] Subject: Re: RHEL6 and libvirtd affecting net.ipv4.ip_forward On 12/11/13, 12:10 PM, Steve Grubb wrote: > On Wednesday, December 11, 2013 04:55:39 PM Robert Sanders wrote: >> >Morning again, >> > While working a bit more on the sysctl issue with net.ipv4.ip_forward and >> >net.ipv4.conf.all.accept_redirects found another interesting tidbit. My >> >boxes are stock installs, which includes the libvirtd service as an enabled >> >service. I noticed that my /etc/sysctl.conf file explicitly had >> >'net.ipv4.ip_forward = 0', but the output of 'sysctl net.ipv4.ip_forward' >> >shows a running value of '1'. This makes sense, as libvirtd I believe >> >needs to be able to forward packets potentially between any virtual NICs on >> >the system. My question - is there a STIG that requires this service to be >> >disabled or not installed. If not, then RHEL-06-000082 will never be >> >satisfied. Bear in mind, I'm still working from the published RHEL6 STIG, >> >not the SSG document at this time. > In my opinion, there should be a STIG specifically for virtualization. For > example, you absolutely_must_ have the clean traffic ebtables rules loaded or > you have potential for all kinds of mischief. > > -Steve > > > https://www.berrange.com/posts/2011/10/03/guest-mac-spoofing-denial-of-service-and-preventing-it-with-libvirt-and-kvm/ RHEL6 STIG is meant as a Server, not hypervisor. Feedback as the RHEL6 content is applied to a hypervisor would be most welcome; at some point we'll make a stig-rhel6-kvm. IIRC, DISA FSO was socializing a "Virtualizer SRG" a few months back. I can't seem to find a copy via google, but recall conversations of having RHEL6+KVM, RHEV-H, and OpenStack Nova follow those requirements. I'm not sure how VMWare handled their ESXi STIG; I think they went through the OS+Network+AppServer SRGs and cherry picked things. Red Hat may do the same for our virt technologies until the Virtualizer SRG is out. _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
