From 00857924d3e533897fbd49a804dac76c63d31610 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Wed, 30 Nov 2016 13:09:00 -0600
Subject: [PATCH] Add firewalld rate limit rule [+Docs]

This patch adds tasks that set a rate limit rule for new TCP connections.
The limit can cause issues with applications that handle large amounds of
TCP connections, so the limit is opt in only.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: If448508ae6f629c9e162beeea420100da9e08d52
---
 defaults/main.yml                     |  4 ++++
 doc/metadata/rhel7/RHEL-07-040250.rst | 29 +++++++++++++++++++++++++--
 tasks/rhel7stig/misc.yml              | 12 +++++++++++
 3 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 4e52813b..97d726c5 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -519,6 +519,10 @@ security_enable_virus_scanner: no                            # RHEL-07-030810
 security_rhel7_disable_ctrl_alt_delete: yes                  # RHEL-07-020220
 # Install and enable firewalld for iptables management.
 security_enable_firewalld: no                                # RHEL-07-040290
+# Rate limit TCP connections to 25/min and burstable to 100.
+security_enable_firewalld_rate_limit: no                     # RHEL-07-040250
+security_enable_firewalld_rate_limit_per_minute: 25
+security_enable_firewalld_rate_limit_burst: 100
 
 ## Packages (packages)
 # Remove packages from the system as required by the STIG. Set any of these
diff --git a/doc/metadata/rhel7/RHEL-07-040250.rst b/doc/metadata/rhel7/RHEL-07-040250.rst
index 9641e70c..06ee2721 100644
--- a/doc/metadata/rhel7/RHEL-07-040250.rst
+++ b/doc/metadata/rhel7/RHEL-07-040250.rst
@@ -1,7 +1,32 @@
 ---
 id: RHEL-07-040250
-status: not implemented
+status: opt-in
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+Although the STIG requires that incoming TCP connections are rate limited with
+``firewalld``, this setting can cause problems with certain applications which
+handle large amounts of TCP connections. Therefore, the tasks in the security
+role do not apply the rate limit by default.
+
+Deployers can opt in for this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_enable_firewalld_rate_limit: yes
+
+The STIG recommends a limit of 25 connection per minute and allowing bursts up
+to 100 connections. Both of these options are adjustable with the following
+Ansible variables:
+
+.. code-block:: yaml
+
+    security_enable_firewalld_rate_limit_per_minute: 25
+    security_enable_firewalld_rate_limit_burst: 100
+
+.. warning::
+
+    Deployers should test rate limiting in a non-production environment first
+    before applying it to production systems. Ensure that the application
+    running on the system is receiving a large volume of requests so that the
+    rule can be thoroughly tested.
diff --git a/tasks/rhel7stig/misc.yml b/tasks/rhel7stig/misc.yml
index 8443fec7..187e3577 100644
--- a/tasks/rhel7stig/misc.yml
+++ b/tasks/rhel7stig/misc.yml
@@ -158,3 +158,15 @@
     - medium
     - misc
     - RHEL-07-040290
+
+- name: Limit new TCP connections to 25/minute and allow bursting to 100
+  command: "firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{ security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT"
+  register: add_rate_limit_firewalld_rule
+  changed_when: "'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout"
+  when:
+    - firewalld_status_check.rc != 3
+    - security_enable_firewalld_rate_limit | bool
+  tags:
+    - medium
+    - misc
+    - RHEL-07-040250