On 12/9/13, 3:48 PM, Rodney L. Mercer wrote:
When "Rule ID: kernel_module_ipv6_option_disabled" passes, "Rule ID:
sysctl_ipv6_default_accept_redirects" is doomed to failure.
I've figured out a fix for the failure of "Rule ID:
sysctl_ipv6_default_accept_redirects CCE-27166-8",
when "Rule ID: kernel_module_ipv6_option_disabled CCE-27153-6"
passes test.
I've attached the diff output between my changes and the original of the
sysctl_net_ipv6_conf_default_accept_redirects.xml file contents.
Unfortunately, the sysctl_net_ipv6_conf_default_accept_redirects.xml
file is generated by: create_sysctl_checks.py, and the python script
does not take into account the problem.
Any suggestions for implementation are appreciated.
Thanks,
Rodney.
sysctl_net_ipv6_conf_default_accept_redirects.xml.diff
[root@wahoo checks]# diff sysctl_net_ipv6_conf_default_accept_redirects.xml
~/sysctl_net_ipv6_conf_default_accept_redirects.xml.orig
12,22c12,14
< <criteria operator="OR">
< <criteria operator="AND">
< <criterion comment="kernel runtime parameter net.ipv6.conf.default.accept_redirects set
to 0" test_ref="test_runtime_sysctl_net_ipv6_conf_default_accept_redirects" />
< <criterion comment="kernel /etc/sysctl.conf parameter
net.ipv6.conf.default.accept_redirects set to 0"
test_ref="test_static_sysctl_net_ipv6_conf_default_accept_redirects" />
< </criteria>
< <criteria operator="AND">
< <extend_definition comment="IPv6 disabled"
< definition_ref="kernel_module_ipv6_option_disabled" />
< <criterion comment="ipv6 disabled any modprobe conf file"
< test_ref="test_kernel_module_ipv6_option_disabled" />
< </criteria>
---
> <criteria operator="AND">
> <criterion comment="kernel runtime parameter net.ipv6.conf.default.accept_redirects set
to 0" test_ref="test_runtime_sysctl_net_ipv6_conf_default_accept_redirects" />
> <criterion comment="kernel /etc/sysctl.conf parameter
net.ipv6.conf.default.accept_redirects set to 0"
test_ref="test_static_sysctl_net_ipv6_conf_default_accept_redirects" />
Works for me....
[shawn@SSG-RHEL6 checks]$ sudo grep ipv6 /etc/modprobe.d/disabled.conf
options ipv6 disable=1
[shawn@SSG-RHEL6 checks]$ sudo ./testcheck.py
kernel_module_ipv6_option_disabled.xml
Evaluating with OVAL tempfile :
/tmp/kernel_module_ipv6_option_disabledwCcEnH.xml
Writing results to :
/tmp/kernel_module_ipv6_option_disabledwCcEnH.xml-results
Definition oval:scap-security-guide.testing:def:323: true
Evaluation done.
[shawn@SSG-RHEL6 checks]$ sudo sysctl -a | grep
net.ipv6.conf.default.accept_redirects
net.ipv6.conf.default.accept_redirects = 0
[shawn@SSG-RHEL6 checks]$ sudo grep
"net.ipv6.conf.default.accept_redirects" /etc/sysctl.conf
net.ipv6.conf.default.accept_redirects = 0
[shawn@SSG-RHEL6 checks]$ ./testcheck.py
sysctl_net_ipv6_conf_default_accept_redirects.xml
Evaluating with OVAL tempfile :
/tmp/sysctl_net_ipv6_conf_default_accept_redirectsH7PBwZ.xml
Writing results to :
/tmp/sysctl_net_ipv6_conf_default_accept_redirectsH7PBwZ.xml-results
Definition oval:scap-security-guide.testing:def:317: true
Evaluation done.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
