MEDIUM RHCOS (Node) M22: Network Sysctl Hardening P3

Pending Compare Branch

Remediation required. This group (20 checks) fails on vanilla RHCOS 10.2 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 5.0, RHCOS 10.2) with compliance-operator v1.8.2.

Overview

Hardens IPv4 and IPv6 network stack parameters to prevent routing attacks, source address spoofing, and ICMP-based reconnaissance. Disables redirects, source routing, and router advertisements on all interfaces.

Profile: NIST 800-53 Moderate (rhcos4-moderate)

Compliance Checks

Check Description
net-ipv4-conf-all-accept-redirects=0 Reject ICMP redirects (all)
net-ipv4-conf-all-accept-source-route=0 Reject source-routed packets (all)
net-ipv4-conf-all-log-martians=1 Log martian packets (all)
net-ipv4-conf-all-rp-filter=1 Enable reverse path filtering (all)
net-ipv4-conf-all-secure-redirects=0 Reject secure redirects (all)
net-ipv4-conf-all-send-redirects=0 Don’t send redirects (all)
net-ipv4-conf-default-accept-redirects=0 Reject ICMP redirects (default)
net-ipv4-conf-default-log-martians=1 Log martian packets (default)
net-ipv4-conf-default-rp-filter=1 Enable reverse path filtering (default)
net-ipv4-conf-default-secure-redirects=0 Reject secure redirects (default)
net-ipv4-conf-default-send-redirects=0 Don’t send redirects (default)
net-ipv4-icmp-echo-ignore-broadcasts=1 Ignore broadcast ICMP echo
net-ipv4-icmp-ignore-bogus-error-responses=1 Ignore bogus ICMP errors
net-ipv4-tcp-syncookies=1 Enable TCP SYN cookies
net-ipv6-conf-all-accept-ra=0 Reject IPv6 router advertisements (all)
net-ipv6-conf-all-accept-redirects=0 Reject IPv6 redirects (all)
net-ipv6-conf-all-accept-source-route=0 Reject IPv6 source routes (all)
net-ipv6-conf-default-accept-ra=0 Reject IPv6 router advertisements (default)
net-ipv6-conf-default-accept-redirects=0 Reject IPv6 redirects (default)
net-ipv6-conf-default-accept-source-route=0 Reject IPv6 source routes (default)

Verification

oc debug node/<node> -- chroot /host sysctl -a | grep -E 'accept_redirects|accept_source_route|log_martians|rp_filter|send_redirects'

Upstream Proposal

The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:

20 IPv4/IPv6 network sysctl values All OCP Low
openshift/os /usr/lib/sysctl.d/50-network-hardening.conf View Proposed Change
Standard CIS/STIG network hardening: disable redirects, source routing, enable martian logging, syncookies. Universal for servers.
Scope: Standard CIS/STIG network hardening. Universally recommended for all servers. No legitimate reason to accept ICMP redirects on a Kubernetes node.

PR History

20 IPv4/IPv6 network sysctl values Not Filed blocked
coreos/rhel-coreos-config
Maintainers defer to RHEL/systemd defaults for network sysctls. rp_filter was changed from strict (1) to loose (2) by systemd upstream in v240 — CoreOS maintainers accepted this (fedora-coreos-tracker#219). PR #264 feedback established pattern of not carrying RHCOS-specific sysctl overrides. Some settings (accept_ra=0, send_redirects=0) could break IPv6 SLAAC or multi-homed configurations. RHEL 9 is non-compliant on 13/15 IPv4 STIG controls by design.
coreos/fedora-coreos-tracker/issues/219 coreos/rhel-coreos-config/pull/264 Bnwokoma/rhel9-stig-hardening
← M21 All Groups M23 →
Legend
Status
🔵 In Progress
🟡 Pending
On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only