Add firewalld rate limit rule [+Docs]

This patch adds tasks that set a rate limit rule for new TCP connections. The limit can cause issues with applications that handle large amounds of TCP connections, so the limit is opt in only. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: If448508ae6f629c9e162beeea420100da9e08d52
2016-11-30 13:09:00 -06:00 · 2016-11-30 13:09:00 -06:00 · 00857924d3
parent 51bd12f03f
commit 00857924d3
3 changed files with 43 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -519,6 +519,10 @@ security_enable_virus_scanner: no                            # RHEL-07-030810
 security_rhel7_disable_ctrl_alt_delete: yes                  # RHEL-07-020220
 # Install and enable firewalld for iptables management.
 security_enable_firewalld: no                                # RHEL-07-040290
+# Rate limit TCP connections to 25/min and burstable to 100.
+security_enable_firewalld_rate_limit: no                     # RHEL-07-040250
+security_enable_firewalld_rate_limit_per_minute: 25
+security_enable_firewalld_rate_limit_burst: 100

 ## Packages (packages)
 # Remove packages from the system as required by the STIG. Set any of these
--- a/doc/metadata/rhel7/RHEL-07-040250.rst
+++ b/doc/metadata/rhel7/RHEL-07-040250.rst
@ -1,7 +1,32 @@
 ---
 id: RHEL-07-040250
-status: not implemented
+status: opt-in
 tag: misc
 ---

-This STIG requirement is not yet implemented.
+Although the STIG requires that incoming TCP connections are rate limited with
+``firewalld``, this setting can cause problems with certain applications which
+handle large amounts of TCP connections. Therefore, the tasks in the security
+role do not apply the rate limit by default.
+
+Deployers can opt in for this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_enable_firewalld_rate_limit: yes
+
+The STIG recommends a limit of 25 connection per minute and allowing bursts up
+to 100 connections. Both of these options are adjustable with the following
+Ansible variables:
+
+.. code-block:: yaml
+
+    security_enable_firewalld_rate_limit_per_minute: 25
+    security_enable_firewalld_rate_limit_burst: 100
+
+.. warning::
+
+    Deployers should test rate limiting in a non-production environment first
+    before applying it to production systems. Ensure that the application
+    running on the system is receiving a large volume of requests so that the
+    rule can be thoroughly tested.
--- a/tasks/rhel7stig/misc.yml
+++ b/tasks/rhel7stig/misc.yml
@ -158,3 +158,15 @@
    - medium
    - misc
    - RHEL-07-040290
+
+- name: Limit new TCP connections to 25/minute and allow bursting to 100
+  command: "firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{ security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT"
+  register: add_rate_limit_firewalld_rule
+  changed_when: "'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout"
+  when:
+    - firewalld_status_check.rc != 3
+    - security_enable_firewalld_rate_limit | bool
+  tags:
+    - medium
+    - misc
+    - RHEL-07-040250