Major Hayden e57593dfd4 Automate the STIG documentation
With the upcoming changes to rebase onto the RHEL 7 STIG controls,
there needs to be a new solution for documentation that is easier
to manage and filter. This patch automates the generation of the STIG
control documentation in the following way:

* A Sphinx extension runs early in the doc build process that writes
  all of the individual STIG control docs as well as ToC pages.
* ToC pages are now sorted by severity, tag, and implementation status.
* A giant listing of controls is easier to navigate now.
* Docs are generated from metadata in the /doc/metadata directory. New
  documentation only needs to be added there. (Will explain this in
  the developer notes in a subsequent patch.)

Implements: blueprint security-rhel7-stig
Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
2016-09-09 14:43:30 +00:00

29 lines
947 B
ReStructuredText

---
id: V-38528
status: exception
tag: misc
---
**Exception**
The STIG requires that all martian packets are logged by setting the sysctl
parameter ``net.ipv4.conf.all.log_martians`` to ``1``.
Although the logs can be valuable in some situations, the setting can generate
a *significant* amount of logging in OpenStack environments, especially those
that use neutron's Linux bridge networking. In some situations, the logging can
flood the physical terminal and make troubleshooting at the console or via out
of band (like iKVM, DRAC and iLO) **extremely difficult**.
The role will ensure that martian packet logging is disabled by default.
Deployers that need this logging enabled will need to set the following
Ansible variable:
.. code-block:: yaml
security_sysctl_enable_martian_logging: yes
Wikpedia's article on `martian packets`_ provides additional information.
.. _martian packets: https://en.wikipedia.org/wiki/Martian_packet