Default kernel network variables, sysctl, not secure enough.
Greetings,
Did a security audit on Debian 7 using tiger and found some less than
secure settings for network variables in the kernel.
One of the variables flagged was
net.ipv4.conf.all.rp_filter .
This and the rest in this group can be set in /etc/sysctl.conf . The
commented out values in this file look for all the world like the
correct settings for a reasonably secure system. The default values are
different and leave openings that may be exploited.
The "documentation" referred to at the top of /etc/sysctl.conf has no
useful information in it. Haven't found any man pages yet that define
these variables.
Had a look at www.kernel.org/doc/man-pages but this was not sufficiently
informative.
Had a look in /usr/share/doc . Didn't notice anything. Looked through
the package library for kernel documentation, information on sysctl and
more besides :
apt-cache search kernel
this yielded a list :
linux-doc-3.2
debian-kernel-handbook
linux-doc
Installed them and looked for man pages, nothing found, then through
/usr/share/doc again. This had a number of extra files in it that seemed
relevant but the variables set were not found as such. A look in
/usr/share/doc/linux-doc-32/Documentation/networking/ip-sysctl.txt
defines the values for the previously mentioned variable, with rp_filter
at the end of it. The variable itself was not listed in this file so a
grep did not find it. One had to look through each possible relevant
file, a number of them (by the way), and discover that the variable
definitions were listed according to their relevant directory in /proc .
In this case :
/proc/sys/net/ipv4/conf/all/rp_filter
The actual value in /proc , the one being used by the system, was the
default which needs to be tightened up.
Editing /etc/sysctl.conf and uncommenting most of the settings will
improve the situation.
Someone put a README* in /etc/sysctl.d that suggested one put a
local.conf file in /etc/sysctl.d . This may be a better way to do it
but isn't documented anywhere, I think. It is less than obvious and may
be hard to find later.
Putting sysctl commands in start-up scripts may be challenging to find
later but site procedures vary. The variables can be set using sysctl as
well.
How about modifying the supplied /etc/sysctl.conf so that the currently
commented out settings are uncommented since these are obviously better
and as recommended by various bodies as sound practise etc.
No need to take these ideas on the chin Bob :-)
Cheers,
frank.jansen@actrix.gen.nz, ZL2TTS
Reply to: