Bug 1683145 - [RHOSP13] Need Hardening recommondation to remove file-system module and path MTU discovery [NEEDINFO]
Summary: [RHOSP13] Need Hardening recommondation to remove file-system module and path...
Keywords:
Status: CLOSED EOL
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo
Version: 13.0 (Queens)
Hardware: x86_64
OS: All
high
high
Target Milestone: ---
: ---
Assignee: Harry Rybacki
QA Contact: Nobody
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-26 10:34 UTC by Pradipta Kumar Sahoo
Modified: 2023-07-11 20:20 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-07-11 20:20:14 UTC
Target Upstream Version:
Embargoed:
hrybacki: needinfo? (alee)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-8226 0 None None None 2022-02-05 08:56:13 UTC

Description Pradipta Kumar Sahoo 2019-02-26 10:34:48 UTC
Description of problem:

We need an official recommendation to enable below hardening in the OpenStack environment since we didn't find any recommendation in our official guide.

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/security_and_hardening_guide/



Hardening Details:
1. Wish to disable "path MTU discovery" since it could be used by a malicious attacker to receive a reply from the server despite the firewall configuration by forcefully sending a large packet. The customer suspecting is that, since some interfaces do have a 9000-byte MTU this discovery mechanism might be used if the MTU in some part of the path is in fact lower.

#      - name: Disable PMTUD on sysctl.conf
#        sysctl:
#          name: net.ipv4.ip_no_pmtu_disc
#          value: 0
#          state: present
#          reload: yes

2. Regarding the filesystems, the customer has already disabled freevxfs, jffs2, hfs and hfsplus since none of them will ever be used on the OSP infra. But they are having doubt in UDF fs where it used in ISO files and suspecting QEMU did some conversation where it needs to load the module. Please confirm whether it is safe to remove all these file system modules from overcloud nodes.
modprobe -r cramfs
modprobe -r freevxfs
modprobe -r jffs2
modprobe -r  hfs
modprobe -r hfsplus
modprobe -r UDF


Version-Release number of selected component (if applicable):
Red Hat OpenStack 13 Director

Comment 13 Cyril Roelandt 2019-03-28 20:37:41 UTC
I feel like UDF should not be needed for Glance/Ceph, but I'm putting a needinfo on Yogev, who knows Ceph better than I do.

Comment 23 Lon Hohberger 2023-07-11 20:20:14 UTC
OSP 13 was retired on June 27, 2023. If this was to be targeted for a different release, please reopen and retarget.


Note You need to log in before you can comment on or make changes to this bug.