On 12/10/13, 4:56 PM, Rodney L. Mercer wrote:
On Tue, 2013-12-10 at 16:31 -0500, Rodney L. Mercer wrote:
>On Tue, 2013-12-10 at 13:54 -0500, Shawn Wells wrote:
> >On 12/9/13, 3:48 PM, Rodney L. Mercer wrote:
> >
> > >When "Rule ID: kernel_module_ipv6_option_disabled" passes, "Rule ID:
> > >sysctl_ipv6_default_accept_redirects" is doomed to failure.
> > >
> > >I've figured out a fix for the failure of "Rule ID:
> > >sysctl_ipv6_default_accept_redirects CCE-27166-8",
> > >when "Rule ID: kernel_module_ipv6_option_disabled CCE-27153-6"
> > >passes test.
> > >
> > >
> > >I've attached the diff output between my changes and the original of the
> > >sysctl_net_ipv6_conf_default_accept_redirects.xml file contents.
> > >
> > >Unfortunately, the sysctl_net_ipv6_conf_default_accept_redirects.xml
> > >file is generated by: create_sysctl_checks.py, and the python script
> > >does not take into account the problem.
> > >
> > >
> > >Any suggestions for implementation are appreciated.
> > >
> > >Thanks,
> > >Rodney.
> > >
> > >sysctl_net_ipv6_conf_default_accept_redirects.xml.diff
> > >[root@wahoo checks]# diff
sysctl_net_ipv6_conf_default_accept_redirects.xml
~/sysctl_net_ipv6_conf_default_accept_redirects.xml.orig
> > >12,22c12,14
> > >< <criteria operator="OR">
> > >< <criteria operator="AND">
> > >< <criterion comment="kernel runtime parameter
net.ipv6.conf.default.accept_redirects set to 0"
test_ref="test_runtime_sysctl_net_ipv6_conf_default_accept_redirects" />
> > >< <criterion comment="kernel /etc/sysctl.conf parameter
net.ipv6.conf.default.accept_redirects set to 0"
test_ref="test_static_sysctl_net_ipv6_conf_default_accept_redirects" />
> > >< </criteria>
> > >< <criteria operator="AND">
> > >< <extend_definition comment="IPv6 disabled"
> > >< definition_ref="kernel_module_ipv6_option_disabled" />
> > >< <criterion comment="ipv6 disabled any modprobe conf file"
> > >< test_ref="test_kernel_module_ipv6_option_disabled" />
> > >< </criteria>
> > >---
> > > > > <criteria operator="AND">
> > > > > <criterion comment="kernel runtime parameter
net.ipv6.conf.default.accept_redirects set to 0"
test_ref="test_runtime_sysctl_net_ipv6_conf_default_accept_redirects" />
> > > > > <criterion comment="kernel /etc/sysctl.conf parameter
net.ipv6.conf.default.accept_redirects set to 0"
test_ref="test_static_sysctl_net_ipv6_conf_default_accept_redirects" />
> >
> >Works for me....
> >
> >[shawn@SSG-RHEL6 checks]$ sudo grep
> >ipv6 /etc/modprobe.d/disabled.conf
> >options ipv6 disable=1
> >
> >[shawn@SSG-RHEL6 checks]$ sudo ./testcheck.py
> >kernel_module_ipv6_option_disabled.xml
> >Evaluating with OVAL
> >tempfile : /tmp/kernel_module_ipv6_option_disabledwCcEnH.xml
> >Writing results
> >to : /tmp/kernel_module_ipv6_option_disabledwCcEnH.xml-results
> >Definition oval:scap-security-guide.testing:def:323: true
> >Evaluation done.
> >
> >[shawn@SSG-RHEL6 checks]$ sudo sysctl -a | grep
> >net.ipv6.conf.default.accept_redirects
> >net.ipv6.conf.default.accept_redirects = 0
> >
> >[shawn@SSG-RHEL6 checks]$ sudo grep
> >"net.ipv6.conf.default.accept_redirects" /etc/sysctl.conf
> >net.ipv6.conf.default.accept_redirects = 0
> >
> >[shawn@SSG-RHEL6 checks]$ ./testcheck.py
> >sysctl_net_ipv6_conf_default_accept_redirects.xml
> >Evaluating with OVAL
> >tempfile : /tmp/sysctl_net_ipv6_conf_default_accept_redirectsH7PBwZ.xml
> >Writing results
> >to : /tmp/sysctl_net_ipv6_conf_default_accept_redirectsH7PBwZ.xml-results
> >Definition oval:scap-security-guide.testing:def:317: true
> >Evaluation done.
> >
>Shawn,
>
>Here is what I get:
>
>[root@wahoo checks]# grep ipv6 /etc/modprobe.d/disabled.conf
>options ipv6 disable=1
>
>[root@wahoo checks]# ./testcheck.py
>kernel_module_ipv6_option_disabled.xml
>Evaluating with OVAL
>tempfile : /tmp/kernel_module_ipv6_option_disabledCQ3qHP.xml
>Writing results
>to : /tmp/kernel_module_ipv6_option_disabledCQ3qHP.xml-results
>Definition oval:scap-security-guide.testing:def:106: true
>Evaluation done.
>
>[root@wahoo checks]# grep
>net.ipv6.conf.default.accept_redirects /etc/sysctl.conf
>net.ipv6.conf.default.accept_redirects = 0
>
>[root@wahoo checks]# sysctl net.ipv6.conf.default.accept_redirect=0
>error: "net.ipv6.conf.default.accept_redirect" is an unknown key
>
>[root@wahoo checks]# sysctl -p |grep
>net.ipv6.conf.default.accept_redirect
>error: "net.ipv6.conf.default.accept_redirects" is an unknown key
>error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
>error: "net.bridge.bridge-nf-call-iptables" is an unknown key
>error: "net.bridge.bridge-nf-call-arptables" is an unknown key
>
>
>[root@wahoo checks]# /testcheck.py
>sysctl_net_ipv6_conf_default_accept_redirects.xml
>bash: /testcheck.py: No such file or directory
>[root@wahoo checks]# ./testcheck.py
>sysctl_net_ipv6_conf_default_accept_redirects.xml
>Evaluating with OVAL
>tempfile : /tmp/sysctl_net_ipv6_conf_default_accept_redirectsYGpGVn.xml
>Writing results
>to : /tmp/sysctl_net_ipv6_conf_default_accept_redirectsYGpGVn.xml-results
>Definition oval:scap-security-guide.testing:def:100: false
>Evaluation done.
>
>I also found this old report on the problem:
>https://lists.fedorahosted.org/pipermail/scap-security-guide/2012-May/000567.html
>
>
>You must have something loaded or enabled that I don't have that allows
>sysctl net.ipv6.conf.default.accept_redirect=0 ?
>
>Thanks,
>Rodney.
>
I don't have /proc/sys/net/ipv6 on the hardened RHEL6 machine.
[root@wahoo checks]# ls/proc/sys/net/
core ipv4 netfilter nf_conntrack_max unix
I assume that you must have:
# cat /proc/sys/net/ipv6/conf/all/accept_redirects
1
Or, you know, I could have rebooted after disabling IPv6... =/
Fully able to replicate your setup after a reboot. Pushed your bugfix:
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=6a271a5df50529dc0ee4800dfce0933114c4677b
Made a slight change to reflect updated signoff date, and removed this
check from the sysctl templates.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
