ACK. thanks -- we totally want to make sure the content does not fail admins (who might have configured their boxes even more restrictively!) when it should pass.
On 08/20/2012 12:14 PM, Michael Palmiotto wrote: > Two ipv6 sysctl entry checks were missing extend-definitions. > > Signed-off-by: Michael Palmiotto <[email protected]> > --- > .../sysctl_net_ipv6_conf_all_disable_ipv6.xml | 3 ++- > ...sctl_net_ipv6_conf_default_accept_redirects.xml | 3 ++- > 2 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/RHEL6/input/checks/sysctl_net_ipv6_conf_all_disable_ipv6.xml > b/RHEL6/input/checks/sysctl_net_ipv6_conf_all_disable_ipv6.xml > index 28a1ca2..d748dde 100644 > --- a/RHEL6/input/checks/sysctl_net_ipv6_conf_all_disable_ipv6.xml > +++ b/RHEL6/input/checks/sysctl_net_ipv6_conf_all_disable_ipv6.xml > @@ -9,7 +9,8 @@ > <description>The kernel runtime parameter > "net.ipv6.conf.all.disable_ipv6" should be set to "1".</description> > <!-- generated by create_sysctl_checks.py --> > </metadata> > - <criteria> > + <criteria operator="OR"> > + <extend_definition comment="IPv6 disabled or..." > > definition_ref="kernel_module_ipv6_option_disabled" /> > <criterion comment="kernel runtime parameter > net.ipv6.conf.all.disable_ipv6 set to 1" > test_ref="test_sysctl_net_ipv6_conf_all_disable_ipv6" /> > </criteria> > </definition> > diff --git > a/RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml > b/RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml > index 7978ba7..dea99ab 100644 > --- a/RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml > +++ b/RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml > @@ -9,7 +9,8 @@ > <reference ref_id="CCE-4365-3" source="CCE" /> > <description>The kernel runtime parameter > "net.ipv6.conf.default.accept_redirects" should be set to "0".</description> > </metadata> > - <criteria> > + <criteria operator="OR"> > + <extend_definition comment="IPv6 disabled or..." > > definition_ref="kernel_module_ipv6_option_disabled" /> > <criterion comment="kernel runtime parameter > net.ipv6.conf.default.accept_redirects set to 0" > test_ref="test_sysctl_net_ipv6_conf_default_accept_redirects" /> > </criteria> > </definition> _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
