
With the upcoming changes to rebase onto the RHEL 7 STIG controls, there needs to be a new solution for documentation that is easier to manage and filter. This patch automates the generation of the STIG control documentation in the following way: * A Sphinx extension runs early in the doc build process that writes all of the individual STIG control docs as well as ToC pages. * ToC pages are now sorted by severity, tag, and implementation status. * A giant listing of controls is easier to navigate now. * Docs are generated from metadata in the /doc/metadata directory. New documentation only needs to be added there. (Will explain this in the developer notes in a subsequent patch.) Implements: blueprint security-rhel7-stig Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
29 lines
947 B
ReStructuredText
29 lines
947 B
ReStructuredText
---
|
|
id: V-38528
|
|
status: exception
|
|
tag: misc
|
|
---
|
|
|
|
**Exception**
|
|
|
|
The STIG requires that all martian packets are logged by setting the sysctl
|
|
parameter ``net.ipv4.conf.all.log_martians`` to ``1``.
|
|
|
|
Although the logs can be valuable in some situations, the setting can generate
|
|
a *significant* amount of logging in OpenStack environments, especially those
|
|
that use neutron's Linux bridge networking. In some situations, the logging can
|
|
flood the physical terminal and make troubleshooting at the console or via out
|
|
of band (like iKVM, DRAC and iLO) **extremely difficult**.
|
|
|
|
The role will ensure that martian packet logging is disabled by default.
|
|
Deployers that need this logging enabled will need to set the following
|
|
Ansible variable:
|
|
|
|
.. code-block:: yaml
|
|
|
|
security_sysctl_enable_martian_logging: yes
|
|
|
|
Wikpedia's article on `martian packets`_ provides additional information.
|
|
|
|
.. _martian packets: https://en.wikipedia.org/wiki/Martian_packet
|