On Tue, 2013-12-10 at 16:31 -0500, Rodney L. Mercer wrote: > On Tue, 2013-12-10 at 13:54 -0500, Shawn Wells wrote: > > On 12/9/13, 3:48 PM, Rodney L. Mercer wrote: > > > > > When "Rule ID: kernel_module_ipv6_option_disabled" passes, "Rule ID: > > > sysctl_ipv6_default_accept_redirects" is doomed to failure. > > > > > > I've figured out a fix for the failure of "Rule ID: > > > sysctl_ipv6_default_accept_redirects CCE-27166-8", > > > when "Rule ID: kernel_module_ipv6_option_disabled CCE-27153-6" > > > passes test. > > > > > > > > > I've attached the diff output between my changes and the original of the > > > sysctl_net_ipv6_conf_default_accept_redirects.xml file contents. > > > > > > Unfortunately, the sysctl_net_ipv6_conf_default_accept_redirects.xml > > > file is generated by: create_sysctl_checks.py, and the python script > > > does not take into account the problem. > > > > > > > > > Any suggestions for implementation are appreciated. > > > > > > Thanks, > > > Rodney. > > > > > > sysctl_net_ipv6_conf_default_accept_redirects.xml.diff > > > [root@wahoo checks]# diff > > > sysctl_net_ipv6_conf_default_accept_redirects.xml > > > ~/sysctl_net_ipv6_conf_default_accept_redirects.xml.orig > > > 12,22c12,14 > > > < <criteria operator="OR"> > > > < <criteria operator="AND"> > > > < <criterion comment="kernel runtime parameter > > > net.ipv6.conf.default.accept_redirects set to 0" > > > test_ref="test_runtime_sysctl_net_ipv6_conf_default_accept_redirects" /> > > > < <criterion comment="kernel /etc/sysctl.conf parameter > > > net.ipv6.conf.default.accept_redirects set to 0" > > > test_ref="test_static_sysctl_net_ipv6_conf_default_accept_redirects" /> > > > < </criteria> > > > < <criteria operator="AND"> > > > < <extend_definition comment="IPv6 disabled" > > > < definition_ref="kernel_module_ipv6_option_disabled" /> > > > < <criterion comment="ipv6 disabled any modprobe conf file" > > > < test_ref="test_kernel_module_ipv6_option_disabled" /> > > > < </criteria> > > > --- > > > > > <criteria operator="AND"> > > > > > <criterion comment="kernel runtime parameter > > > > > net.ipv6.conf.default.accept_redirects set to 0" > > > > > test_ref="test_runtime_sysctl_net_ipv6_conf_default_accept_redirects" > > > > > /> > > > > > <criterion comment="kernel /etc/sysctl.conf parameter > > > > > net.ipv6.conf.default.accept_redirects set to 0" > > > > > test_ref="test_static_sysctl_net_ipv6_conf_default_accept_redirects" > > > > > /> > > > > Works for me.... > > > > [shawn@SSG-RHEL6 checks]$ sudo grep > > ipv6 /etc/modprobe.d/disabled.conf > > options ipv6 disable=1 > > > > [shawn@SSG-RHEL6 checks]$ sudo ./testcheck.py > > kernel_module_ipv6_option_disabled.xml > > Evaluating with OVAL > > tempfile : /tmp/kernel_module_ipv6_option_disabledwCcEnH.xml > > Writing results > > to : /tmp/kernel_module_ipv6_option_disabledwCcEnH.xml-results > > Definition oval:scap-security-guide.testing:def:323: true > > Evaluation done. > > > > [shawn@SSG-RHEL6 checks]$ sudo sysctl -a | grep > > net.ipv6.conf.default.accept_redirects > > net.ipv6.conf.default.accept_redirects = 0 > > > > [shawn@SSG-RHEL6 checks]$ sudo grep > > "net.ipv6.conf.default.accept_redirects" /etc/sysctl.conf > > net.ipv6.conf.default.accept_redirects = 0 > > > > [shawn@SSG-RHEL6 checks]$ ./testcheck.py > > sysctl_net_ipv6_conf_default_accept_redirects.xml > > Evaluating with OVAL > > tempfile : /tmp/sysctl_net_ipv6_conf_default_accept_redirectsH7PBwZ.xml > > Writing results > > to : /tmp/sysctl_net_ipv6_conf_default_accept_redirectsH7PBwZ.xml-results > > Definition oval:scap-security-guide.testing:def:317: true > > Evaluation done. > > > Shawn, > > Here is what I get: > > [root@wahoo checks]# grep ipv6 /etc/modprobe.d/disabled.conf > options ipv6 disable=1 > > [root@wahoo checks]# ./testcheck.py > kernel_module_ipv6_option_disabled.xml > Evaluating with OVAL > tempfile : /tmp/kernel_module_ipv6_option_disabledCQ3qHP.xml > Writing results > to : /tmp/kernel_module_ipv6_option_disabledCQ3qHP.xml-results > Definition oval:scap-security-guide.testing:def:106: true > Evaluation done. > > [root@wahoo checks]# grep > net.ipv6.conf.default.accept_redirects /etc/sysctl.conf > net.ipv6.conf.default.accept_redirects = 0 > > [root@wahoo checks]# sysctl net.ipv6.conf.default.accept_redirect=0 > error: "net.ipv6.conf.default.accept_redirect" is an unknown key > > [root@wahoo checks]# sysctl -p |grep > net.ipv6.conf.default.accept_redirect > error: "net.ipv6.conf.default.accept_redirects" is an unknown key > error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key > error: "net.bridge.bridge-nf-call-iptables" is an unknown key > error: "net.bridge.bridge-nf-call-arptables" is an unknown key > > > [root@wahoo checks]# /testcheck.py > sysctl_net_ipv6_conf_default_accept_redirects.xml > bash: /testcheck.py: No such file or directory > [root@wahoo checks]# ./testcheck.py > sysctl_net_ipv6_conf_default_accept_redirects.xml > Evaluating with OVAL > tempfile : /tmp/sysctl_net_ipv6_conf_default_accept_redirectsYGpGVn.xml > Writing results > to : /tmp/sysctl_net_ipv6_conf_default_accept_redirectsYGpGVn.xml-results > Definition oval:scap-security-guide.testing:def:100: false > Evaluation done. > > I also found this old report on the problem: > https://lists.fedorahosted.org/pipermail/scap-security-guide/2012-May/000567.html > > > You must have something loaded or enabled that I don't have that allows > sysctl net.ipv6.conf.default.accept_redirect=0 ? > > Thanks, > Rodney. >
I don't have /proc/sys/net/ipv6 on the hardened RHEL6 machine. [root@wahoo checks]# ls /proc/sys/net/ core ipv4 netfilter nf_conntrack_max unix I assume that you must have: # cat /proc/sys/net/ipv6/conf/all/accept_redirects 1 Thanks. Rodney. > > > > > > _______________________________________________ > > scap-security-guide mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
