[PATCH 13/15] Adding sysctl_net_ipv6_conf_all_accept_ra in support of C2S profile

Thu, 17 Apr 2014 20:34:07 -0700 

>From 1342fe250b5ec41ce9b42398efc139782e1158f0 Mon Sep 17 00:00:00 2001
From: Shawn Wells <[email protected]>
Date: Thu, 17 Apr 2014 22:33:43 -0400
Subject: [PATCH 13/15] Adding sysctl_net_ipv6_conf_all_accept_ra in support of 
C2S profile

---
 .../checks/sysctl_net_ipv6_conf_all_accept_ra.xml  |   40 ++++++++++++++++++++
 .../bash/sysctl_net_ipv6_conf_all_accept_ra.sh     |   16 ++++++++
 RHEL/6/input/profiles/C2S.xml                      |    2 +-
 3 files changed, 57 insertions(+), 1 deletions(-)
 create mode 100644 RHEL/6/input/checks/sysctl_net_ipv6_conf_all_accept_ra.xml
 create mode 100644 
RHEL/6/input/fixes/bash/sysctl_net_ipv6_conf_all_accept_ra.sh

diff --git a/RHEL/6/input/checks/sysctl_net_ipv6_conf_all_accept_ra.xml 
b/RHEL/6/input/checks/sysctl_net_ipv6_conf_all_accept_ra.xml
new file mode 100644
index 0000000..98da4b8
--- /dev/null
+++ b/RHEL/6/input/checks/sysctl_net_ipv6_conf_all_accept_ra.xml
@@ -0,0 +1,40 @@
+<def-group>
+ <!-- THIS FILE IS GENERATED by create_sysctl_checks.py.  DO NOT EDIT.  -->
+  <definition class="compliance" id="sysctl_net_ipv6_conf_all_accept_ra" 
version="1">
+    <metadata>
+      <title>Kernel Runtime Parameter "net.ipv6.conf.all.accept_ra" 
Check</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 6</platform>
+      </affected>
+      <description>The kernel runtime parameter "net.ipv6.conf.all.accept_ra" 
should be set to "0".</description>
+      <reference source="swells" ref_id="20130928" ref_url="test_attestation" 
/>
+    </metadata>
+    <criteria operator="AND">
+      <criterion comment="kernel runtime parameter net.ipv6.conf.all.accept_ra 
set to 0" test_ref="test_runtime_sysctl_net_ipv6_conf_all_accept_ra" />
+      <criterion comment="kernel /etc/sysctl.conf parameter 
net.ipv6.conf.all.accept_ra set to 0" 
test_ref="test_static_sysctl_net_ipv6_conf_all_accept_ra" />
+    </criteria>
+  </definition>
+
+  <unix:sysctl_test check="all" check_existence="all_exist" comment="kernel 
runtime parameter net.ipv6.conf.all.accept_ra set to 0" 
id="test_runtime_sysctl_net_ipv6_conf_all_accept_ra" version="1">
+    <unix:object object_ref="object_sysctl_net_ipv6_conf_all_accept_ra" />
+    <unix:state state_ref="state_sysctl_net_ipv6_conf_all_accept_ra" />
+  </unix:sysctl_test>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" 
comment="net.ipv6.conf.all.accept_ra static configuration" 
id="test_static_sysctl_net_ipv6_conf_all_accept_ra" version="1">
+    <ind:object object_ref="object_static_sysctl_net_ipv6_conf_all_accept_ra" 
/>
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object 
id="object_static_sysctl_net_ipv6_conf_all_accept_ra" version="1">
+    <ind:filepath>/etc/sysctl.conf</ind:filepath>
+    <ind:pattern operation="pattern 
match">^[\s]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*0*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <unix:sysctl_object id="object_sysctl_net_ipv6_conf_all_accept_ra" 
version="1">
+    <unix:name>net.ipv6.conf.all.accept_ra</unix:name>
+  </unix:sysctl_object>
+
+  <unix:sysctl_state id="state_sysctl_net_ipv6_conf_all_accept_ra" version="1">
+    <unix:value datatype="int" operation="equals">0</unix:value>
+  </unix:sysctl_state>
+</def-group>
diff --git a/RHEL/6/input/fixes/bash/sysctl_net_ipv6_conf_all_accept_ra.sh 
b/RHEL/6/input/fixes/bash/sysctl_net_ipv6_conf_all_accept_ra.sh
new file mode 100644
index 0000000..aa26b85
--- /dev/null
+++ b/RHEL/6/input/fixes/bash/sysctl_net_ipv6_conf_all_accept_ra.sh
@@ -0,0 +1,16 @@
+#
+# Set runtime for net.ipv6.conf.all.accept_ra
+#
+sysctl -q -n -w net.ipv6.conf.all.accept_ra=0
+
+#
+# If net.ipv6.conf.all.accept_ra present in /etc/sysctl.conf, change value to 
"0"
+#      else, add "net.ipv6.conf.all.accept_ra = 0" to /etc/sysctl.conf
+#
+if grep --silent ^net.ipv6.conf.all.accept_ra /etc/sysctl.conf ; then
+       sed -i 's/^net.ipv6.conf.all.accept_ra.*/net.ipv6.conf.all.accept_ra = 
0/g' /etc/sysctl.conf
+else
+       echo "" >> /etc/sysctl.conf
+       echo "# Set net.ipv6.conf.all.accept_ra to 0 per security requirements" 
>> /etc/sysctl.conf
+       echo "net.ipv6.conf.all.accept_ra = 0" >> /etc/sysctl.conf
+fi
diff --git a/RHEL/6/input/profiles/C2S.xml b/RHEL/6/input/profiles/C2S.xml
index 161321e..f32ebdf 100644
--- a/RHEL/6/input/profiles/C2S.xml
+++ b/RHEL/6/input/profiles/C2S.xml
@@ -334,7 +334,7 @@ Patches would be most welcome!
 <!-- 4.4.1 Configure IPv6 -->
 <!-- 4.4.1.1 Disable IPv6 Router Advertisements (Not Scored) -->
 <select idref="sysctl_net_ipv6_conf_default_accept_ra" selected="true" />
-<!-- NEEDS: net.ipv6.conf.all.accept_ra -->
+<select idref="sysctl_net_ipv6_conf_all_accept_ra" selected="true" />
 
 <!-- 4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored) -->
 <select idref="sysctl_ipv6_default_accept_redirects" selected="true" />
-- 
1.7.1


_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide














    











					Reply via email to