search

dev-sec / puppet-os-hardening

This puppet module provides numerous security-related configurations, providing all-round base protection.
http://dev-sec.io/
Apache License 2.0
280 stars 101 forks source link

More secure kernel settings #250

Closed mcgege closed 3 years ago

mcgege commented 3 years ago

Following Telekom security requirement linux-15

mvisonneau commented 3 years ago

👋 hey @mcgege, thanks for these improvements. I ran onto a situation when using net.ipv4.conf.all.arp_ignore=2 in conjunction with Cilium. I believe it could still be interesting to have the capability to keep it to net.ipv4.conf.all.arp_ignore=1 if necessary 🤔 

~$ nsenter --net=/var/run/netns/cni-b8b6dc33-1875-e32d-c730-f3da8f2c21f9 tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:03:48.297180 IP ip-10-16-38-213.eu-west-1.compute.internal.47022 > ip-10-16-96-50.eu-west-1.compute.internal.https: Flags [S], seq 2712694359, win 62727, options [mss 8961,sackOK,TS val 1199655564 ecr 0,nop,wscale 7], length 0
22:03:48.297963 ARP, Request who-has ip-10-16-38-213.eu-west-1.compute.internal tell ip-10-16-41-160.eu-west-1.compute.internal, length 28
22:03:49.327777 IP ip-10-16-38-213.eu-west-1.compute.internal.47022 > ip-10-16-96-50.eu-west-1.compute.internal.https: Flags [S], seq 2712694359, win 62727, options [mss 8961,sackOK,TS val 1199656595 ecr 0,nop,wscale 7], length 0
22:03:49.327888 ARP, Request who-has ip-10-16-38-213.eu-west-1.compute.internal tell ip-10-16-41-160.eu-west-1.compute.internal, length 28
22:03:50.351809 ARP, Request who-has ip-10-16-38-213.eu-west-1.compute.internal tell ip-10-16-41-160.eu-west-1.compute.internal, length 28
22:03:51.343794 IP ip-10-16-38-213.eu-west-1.compute.internal.47022 > ip-10-16-96-50.eu-west-1.compute.internal.https: Flags [S], seq 2712694359, win 62727, options [mss 8961,sackOK,TS val 1199658611 ecr 0,nop,wscale 7], length 0
22:03:53.713681 ARP, Request who-has ip-10-16-38-213.eu-west-1.compute.internal tell ip-10-16-41-160.eu-west-1.compute.internal, length 28
22:03:54.735780 ARP, Request who-has ip-10-16-38-213.eu-west-1.compute.internal tell ip-10-16-41-160.eu-west-1.compute.internal, length 28
22:03:55.471780 IP ip-10-16-38-213.eu-west-1.compute.internal.47022 > ip-10-16-96-50.eu-west-1.compute.internal.https: Flags [S], seq 2712694359, win 62727, options [mss 8961,sackOK,TS val 1199662739 ecr 0,nop,wscale 7], length 0
22:03:55.759789 ARP, Request who-has ip-10-16-38-213.eu-west-1.compute.internal tell ip-10-16-41-160.eu-west-1.compute.internal, length 28
mcgege commented 3 years ago

@mvisonneau Sorry for the problems with this change ... we have some discussion now on this here, please be patient

mcgege commented 3 years ago

@mvisonneau Will bring back the old default of 1 with #256

mvisonneau commented 3 years ago

awesome, thanks a lot @mcgege 🙇