On Tue, 2013-12-10 at 13:54 -0500, Shawn Wells wrote: > On 12/9/13, 3:48 PM, Rodney L. Mercer wrote: > > > When "Rule ID: kernel_module_ipv6_option_disabled" passes, "Rule ID: > > sysctl_ipv6_default_accept_redirects" is doomed to failure. > > > > I've figured out a fix for the failure of "Rule ID: > > sysctl_ipv6_default_accept_redirects CCE-27166-8", > > when "Rule ID: kernel_module_ipv6_option_disabled CCE-27153-6" > > passes test. > > > > > > I've attached the diff output between my changes and the original of the > > sysctl_net_ipv6_conf_default_accept_redirects.xml file contents. > > > > Unfortunately, the sysctl_net_ipv6_conf_default_accept_redirects.xml > > file is generated by: create_sysctl_checks.py, and the python script > > does not take into account the problem. > > > > > > Any suggestions for implementation are appreciated. > > > > Thanks, > > Rodney. > > > > sysctl_net_ipv6_conf_default_accept_redirects.xml.diff > > [root@wahoo checks]# diff sysctl_net_ipv6_conf_default_accept_redirects.xml > > ~/sysctl_net_ipv6_conf_default_accept_redirects.xml.orig > > 12,22c12,14 > > < <criteria operator="OR"> > > < <criteria operator="AND"> > > < <criterion comment="kernel runtime parameter > > net.ipv6.conf.default.accept_redirects set to 0" > > test_ref="test_runtime_sysctl_net_ipv6_conf_default_accept_redirects" /> > > < <criterion comment="kernel /etc/sysctl.conf parameter > > net.ipv6.conf.default.accept_redirects set to 0" > > test_ref="test_static_sysctl_net_ipv6_conf_default_accept_redirects" /> > > < </criteria> > > < <criteria operator="AND"> > > < <extend_definition comment="IPv6 disabled" > > < definition_ref="kernel_module_ipv6_option_disabled" /> > > < <criterion comment="ipv6 disabled any modprobe conf file" > > < test_ref="test_kernel_module_ipv6_option_disabled" /> > > < </criteria> > > --- > > > > <criteria operator="AND"> > > > > <criterion comment="kernel runtime parameter > > > > net.ipv6.conf.default.accept_redirects set to 0" > > > > test_ref="test_runtime_sysctl_net_ipv6_conf_default_accept_redirects" /> > > > > <criterion comment="kernel /etc/sysctl.conf parameter > > > > net.ipv6.conf.default.accept_redirects set to 0" > > > > test_ref="test_static_sysctl_net_ipv6_conf_default_accept_redirects" /> > > Works for me.... > > [shawn@SSG-RHEL6 checks]$ sudo grep > ipv6 /etc/modprobe.d/disabled.conf > options ipv6 disable=1 > > [shawn@SSG-RHEL6 checks]$ sudo ./testcheck.py > kernel_module_ipv6_option_disabled.xml > Evaluating with OVAL > tempfile : /tmp/kernel_module_ipv6_option_disabledwCcEnH.xml > Writing results > to : /tmp/kernel_module_ipv6_option_disabledwCcEnH.xml-results > Definition oval:scap-security-guide.testing:def:323: true > Evaluation done. > > [shawn@SSG-RHEL6 checks]$ sudo sysctl -a | grep > net.ipv6.conf.default.accept_redirects > net.ipv6.conf.default.accept_redirects = 0 > > [shawn@SSG-RHEL6 checks]$ sudo grep > "net.ipv6.conf.default.accept_redirects" /etc/sysctl.conf > net.ipv6.conf.default.accept_redirects = 0 > > [shawn@SSG-RHEL6 checks]$ ./testcheck.py > sysctl_net_ipv6_conf_default_accept_redirects.xml > Evaluating with OVAL > tempfile : /tmp/sysctl_net_ipv6_conf_default_accept_redirectsH7PBwZ.xml > Writing results > to : /tmp/sysctl_net_ipv6_conf_default_accept_redirectsH7PBwZ.xml-results > Definition oval:scap-security-guide.testing:def:317: true > Evaluation done. > Shawn,
Here is what I get: [root@wahoo checks]# grep ipv6 /etc/modprobe.d/disabled.conf options ipv6 disable=1 [root@wahoo checks]# ./testcheck.py kernel_module_ipv6_option_disabled.xml Evaluating with OVAL tempfile : /tmp/kernel_module_ipv6_option_disabledCQ3qHP.xml Writing results to : /tmp/kernel_module_ipv6_option_disabledCQ3qHP.xml-results Definition oval:scap-security-guide.testing:def:106: true Evaluation done. [root@wahoo checks]# grep net.ipv6.conf.default.accept_redirects /etc/sysctl.conf net.ipv6.conf.default.accept_redirects = 0 [root@wahoo checks]# sysctl net.ipv6.conf.default.accept_redirect=0 error: "net.ipv6.conf.default.accept_redirect" is an unknown key [root@wahoo checks]# sysctl -p |grep net.ipv6.conf.default.accept_redirect error: "net.ipv6.conf.default.accept_redirects" is an unknown key error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key error: "net.bridge.bridge-nf-call-iptables" is an unknown key error: "net.bridge.bridge-nf-call-arptables" is an unknown key [root@wahoo checks]# /testcheck.py sysctl_net_ipv6_conf_default_accept_redirects.xml bash: /testcheck.py: No such file or directory [root@wahoo checks]# ./testcheck.py sysctl_net_ipv6_conf_default_accept_redirects.xml Evaluating with OVAL tempfile : /tmp/sysctl_net_ipv6_conf_default_accept_redirectsYGpGVn.xml Writing results to : /tmp/sysctl_net_ipv6_conf_default_accept_redirectsYGpGVn.xml-results Definition oval:scap-security-guide.testing:def:100: false Evaluation done. I also found this old report on the problem: https://lists.fedorahosted.org/pipermail/scap-security-guide/2012-May/000567.html You must have something loaded or enabled that I don't have that allows sysctl net.ipv6.conf.default.accept_redirect=0 ? Thanks, Rodney. > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
