skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Files

  1.   dac76ab332cb6f7ca5cdbec311d2754a26f6d91e
  2.   SOURCES
  3.   scap-security-guide-0.1.50-add_ansible_ipv6_option_disabled_PR_5737.patch
Blob Blame History Raw 
From e14418e1bfbecde7f7091173c8ad9c84b28bd8ee Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 4 May 2020 18:51:13 +0200
Subject: [PATCH] Add Ansible for kernel_module_ipv6_option_disabled

The remediation does more than disabling only one kernel module, so it
is not suitable for "templation" (use of templating system).
---
 .../ansible/shared.yml                        | 22 +++++++++++++++++++
 .../tests/module_disabled.pass.sh             |  4 ++++
 .../tests/module_enabled.fail.sh              |  4 ++++
 3 files changed, 30 insertions(+)
 create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/ansible/shared.yml
 create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_disabled.pass.sh
 create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_enabled.fail.sh

diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/ansible/shared.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/ansible/shared.yml
new file mode 100644
index 0000000000..a6d6229bdc
--- /dev/null
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/ansible/shared.yml
@@ -0,0 +1,22 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = disable
+# complexity = low
+# disruption = medium
+
+- name: Disable IPv6 Networking kernel module
+  lineinfile:
+    create: yes
+    dest: "/etc/modprobe.d/ipv6.conf"
+    regexp: "^options\\s+ipv6\\s+disable=\\d"
+    line: "options ipv6 disable=1"
+
+- name: Ensure disable_ipv6 (all and default) is set to 1
+  sysctl:
+    name: "{{ item }}"
+    value: "1"
+    state: present
+    reload: yes
+  with_items:
+    - "net.ipv6.conf.all.disable_ipv6"
+    - "net.ipv6.conf.default.disable_ipv6"
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_disabled.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_disabled.pass.sh
new file mode 100644
index 0000000000..f22b37b8e8
--- /dev/null
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_disabled.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 7
+
+echo "options ipv6 disable=1" > /etc/modprobe.d/ipv6.conf
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_enabled.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_enabled.fail.sh
new file mode 100644
index 0000000000..82122fea40
--- /dev/null
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_enabled.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 7
+
+echo "options ipv6 disable=0" > /etc/modprobe.d/ipv6.conf

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation