When "Rule ID: kernel_module_ipv6_option_disabled" passes, "Rule ID:
sysctl_ipv6_default_accept_redirects" is doomed to failure.

I've figured out a fix for the failure of "Rule ID:
sysctl_ipv6_default_accept_redirects CCE-27166-8",
when "Rule ID: kernel_module_ipv6_option_disabled CCE-27153-6"
passes test.


I've attached the diff output between my changes and the original of the
sysctl_net_ipv6_conf_default_accept_redirects.xml file contents.

Unfortunately, the sysctl_net_ipv6_conf_default_accept_redirects.xml
file is generated by: create_sysctl_checks.py,  and the python script
does not take into account the problem.


Any suggestions for implementation are appreciated.

Thanks,
Rodney.
[root@wahoo checks]# diff sysctl_net_ipv6_conf_default_accept_redirects.xml ~/sysctl_net_ipv6_conf_default_accept_redirects.xml.orig 
12,22c12,14
<     <criteria operator="OR">
<       <criteria operator="AND">
<         <criterion comment="kernel runtime parameter net.ipv6.conf.default.accept_redirects set to 0" test_ref="test_runtime_sysctl_net_ipv6_conf_default_accept_redirects" />
<         <criterion comment="kernel /etc/sysctl.conf parameter net.ipv6.conf.default.accept_redirects set to 0" test_ref="test_static_sysctl_net_ipv6_conf_default_accept_redirects" />
<       </criteria>
<       <criteria operator="AND">
<         <extend_definition comment="IPv6 disabled"
<         definition_ref="kernel_module_ipv6_option_disabled" />
<         <criterion comment="ipv6 disabled any modprobe conf file" 
<         test_ref="test_kernel_module_ipv6_option_disabled" />
<       </criteria>
---
>     <criteria operator="AND">
>       <criterion comment="kernel runtime parameter net.ipv6.conf.default.accept_redirects set to 0" test_ref="test_runtime_sysctl_net_ipv6_conf_default_accept_redirects" />
>       <criterion comment="kernel /etc/sysctl.conf parameter net.ipv6.conf.default.accept_redirects set to 0" test_ref="test_static_sysctl_net_ipv6_conf_default_accept_redirects" />

_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Reply via email to