Disable Unused Interfaces

An XCCDF Group

Description

Network interfaces expand the attack surface of the system. Unused interfaces are not monitored or controlled, and should be disabled.

If the system does not require network communications but still needs to use the loopback interface, remove all files of the form ifcfg-interface except for ifcfg-lo from /etc/sysconfig/network-scripts:

$ sudo rm /etc/sysconfig/network-scripts/ifcfg-interface

If the system is a standalone machine with no need for network access or even communication over the loopback device, then disable this service. The network service can be disabled with the following manifest:

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-network-disable
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - enabled: false
        name: network.service

This will disable the network service in all the nodes labeled with the "master" role.

Note that this needs to be done for each MachineConfigPool

For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

ID: xccdf_org.ssgproject.content_group_network_disable_unused_interfaces
Child Items: 0
Updated: about 1 year ago