bfcf6c7423
This role contains around 150 controls from the 270+ controls that exist in the RHEL 6 STIG. New controls are still being added. Implements: blueprint security-hardening Change-Id: I0578f86bf42d55242bc72b97b40a5935a3cb18d6
19 lines
989 B
ReStructuredText
19 lines
989 B
ReStructuredText
**Exception**
|
|
|
|
Filtering IPv6 traffic is left up to the deployer to implement. The
|
|
openstack-ansible roles don't configure IPv6 (at this time) and adding
|
|
persistent ip6tables rules could harm a running system.
|
|
|
|
However, deployers are strongly recommended to implement IPv6 filtering at the
|
|
edges of the network via network devices. In addition, deployers should be
|
|
aware that link-local IPv6 addresses are configured automatcally by the system
|
|
and those addresses could open up new network paths for future attacks.
|
|
|
|
For example, if IPv4 access was tightly controlled and segmented, hosts and/or
|
|
containers could possibly communicate across these boundaries using IPv6
|
|
link-local addresses. For more detailed information on this security topic,
|
|
review Cisco's documentation titled `IPv6 Security Brief`_ that is available
|
|
on their website.
|
|
|
|
.. _IPv6 Security Brief: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/white_paper_c11-678658.html
|