|
 |
dac76a |
From 0f919eef79444dfbbf105d58258f4935596d617d Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Fri, 20 Mar 2020 11:15:10 +0100
|
|
|
dac76a |
Subject: [PATCH 1/5] add rule
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../grub2_disable_ipv6/rule.yml | 94 +++++++++++++++++++
|
|
|
dac76a |
2 files changed, 94 insertions(+), 2 deletions(-)
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..ab3137e57e
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,94 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'Ensure IPv6 is disabled through kernel boot parameter'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: |-
|
|
|
dac76a |
+ To disable IPv6 protocol support in the Linux kernel,
|
|
|
dac76a |
+ add the argument <tt>ipv6.disable=1</tt> to the default
|
|
|
dac76a |
+ GRUB 2 command line for the Linux operating system in
|
|
|
dac76a |
+{{% if product in ["rhel7", "ol7", "rhv4"] %}}
|
|
|
dac76a |
+ <tt>/etc/default/grub</tt>, so that the line looks similar to
|
|
|
dac76a |
+ GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."
|
|
|
dac76a |
+ In case the <tt>GRUB_DISABLE_RECOVERY</tt> is set to true, then the parameter should be added to the <tt>GRUB_CMDLINE_LINUX_DEFAULT</tt> instead.
|
|
|
dac76a |
+{{% else %}}
|
|
|
dac76a |
+ <tt>/boot/grub2/grubenv</tt>, in the manner below:
|
|
|
dac76a |
+ # grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
|
|
|
dac76a |
+{{% endif %}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
|
|
|
dac76a |
+ the vulnerability to exploitation.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel7: 82886-3
|
|
|
dac76a |
+ cce@rhel8: 82887-1
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel7: 3.3.3
|
|
|
dac76a |
+ cis@rhel8: "3.6"
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil_clause: 'IPv6 is not disabled'
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: |-
|
|
|
dac76a |
+ {{% if product in ["rhel7", "ol7", "rhv4"] %}}
|
|
|
dac76a |
+ Inspect the form of default GRUB 2 command line for the Linux operating system
|
|
|
dac76a |
+ in <tt>/etc/default/grub</tt>. If it includes <tt>ipv6.disable=1</tt>, then IPv6
|
|
|
dac76a |
+ is disabled at boot time.
|
|
|
dac76a |
+ First check if the GRUB recovery is enabled:
|
|
|
dac76a |
+ $ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
|
|
|
dac76a |
+ If this option is set to true, then check that a line is output by the following command:
|
|
|
dac76a |
+ $ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
|
|
|
dac76a |
+ If the recovery is disabled, check the line with
|
|
|
dac76a |
+ $ grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub .
|
|
|
dac76a |
+ Moreover, current Grub2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
|
|
|
dac76a |
+ # grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
|
|
|
dac76a |
+ This command should not return any output. If it does, update the configuration with
|
|
|
dac76a |
+ # grub2-mkconfig -o /boot/grub2/grub.cfg
|
|
|
dac76a |
+
|
|
|
dac76a |
+ Alternatively, to ensure <tt>ipv6.disable=1</tt> is configured on all installed kernels, the
|
|
|
dac76a |
+ following command may be used:
|
|
|
dac76a |
+
|
|
|
dac76a |
+ $ sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
|
|
|
dac76a |
+
|
|
|
dac76a |
+{{% else %}}
|
|
|
dac76a |
+ Inspect the form of default GRUB 2 command line for the Linux operating system
|
|
|
dac76a |
+ in <tt>/boot/grub2/grubenv</tt>. If they include <tt>ipv6.disable=1</tt>, then IPv6
|
|
|
dac76a |
+ is disabled at boot time.
|
|
|
dac76a |
+ # grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv
|
|
|
dac76a |
+
|
|
|
dac76a |
+ To ensure <tt>ipv6.disable=1</tt> is configured on all installed kernels, the
|
|
|
dac76a |
+ following command may be used:
|
|
|
dac76a |
+
|
|
|
dac76a |
+ # grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
|
|
|
dac76a |
+
|
|
|
dac76a |
+{{% endif %}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
+warnings:
|
|
|
dac76a |
+ - management: |-
|
|
|
dac76a |
+ The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
|
|
dac76a |
+ is automatically updated each time a new kernel is installed. Note that any
|
|
|
dac76a |
+ changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
|
|
dac76a |
+ file. To update the GRUB 2 configuration file manually, use the
|
|
|
dac76a |
+ grub2-mkconfig -o command as follows:
|
|
|
dac76a |
+
|
|
|
dac76a |
+ On BIOS-based machines, issue the following command as <tt>root</tt>:
|
|
|
dac76a |
+ ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
|
|
|
dac76a |
+ On UEFI-based machines, issue the following command as <tt>root</tt>:
|
|
|
dac76a |
+{{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}}
|
|
|
dac76a |
+ ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
|
|
|
dac76a |
+{{% else %}}
|
|
|
dac76a |
+ ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
|
|
|
dac76a |
+{{% endif %}}
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
+template:
|
|
|
dac76a |
+ name: grub2_bootloader_argument
|
|
|
dac76a |
+ vars:
|
|
|
dac76a |
+ arg_name: ipv6.disable
|
|
|
dac76a |
+ arg_value: '1'
|
|
|
dac76a |
|
|
|
dac76a |
From 847faabaa90a70a4c1c4c896c287f8f05b40579c Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Fri, 20 Mar 2020 15:06:45 +0100
|
|
|
dac76a |
Subject: [PATCH 2/5] add rule to rhel7 and rhel8 cis
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
rhel7/profiles/cis.profile | 1 +
|
|
|
dac76a |
2 files changed, 2 insertions(+), 1 deletion(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
|
|
|
dac76a |
index b66594f594..88b27c7a71 100644
|
|
|
dac76a |
--- a/rhel7/profiles/cis.profile
|
|
|
dac76a |
+++ b/rhel7/profiles/cis.profile
|
|
|
dac76a |
@@ -350,6 +350,7 @@ selections:
|
|
|
dac76a |
- sysctl_net_ipv6_conf_default_accept_redirects
|
|
|
dac76a |
|
|
|
dac76a |
### 3.3.3 Ensure IPv6 is disabled (Not Scored)
|
|
|
dac76a |
+ - grub2_disable_ipv6
|
|
|
dac76a |
|
|
|
dac76a |
## 3.4 TCP Wrappers
|
|
|
dac76a |
### 3.4.1 Ensure TCP Wrappers is installed (Scored)
|
|
|
dac76a |
|
|
|
dac76a |
From 95e501a09061ade19d5c6363967bc48a5e28ef41 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: vojtapolasek <krecoun@gmail.com>
|
|
|
dac76a |
Date: Mon, 23 Mar 2020 08:49:06 +0100
|
|
|
dac76a |
Subject: [PATCH 3/5] fix wording in rule.yml
|
|
|
dac76a |
|
|
|
dac76a |
Co-Authored-By: Shawn Wells <shawn@redhat.com>
|
|
|
dac76a |
---
|
|
|
dac76a |
.../disabling_ipv6/grub2_disable_ipv6/rule.yml | 10 +++++-----
|
|
|
dac76a |
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
|
|
|
dac76a |
index ab3137e57e..06fd3b2a36 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
|
|
|
dac76a |
@@ -7,7 +7,7 @@ title: 'Ensure IPv6 is disabled through kernel boot parameter'
|
|
|
dac76a |
description: |-
|
|
|
dac76a |
To disable IPv6 protocol support in the Linux kernel,
|
|
|
dac76a |
add the argument <tt>ipv6.disable=1</tt> to the default
|
|
|
dac76a |
- GRUB 2 command line for the Linux operating system in
|
|
|
dac76a |
+ GRUB2 command line for the Linux operating system in
|
|
|
dac76a |
{{% if product in ["rhel7", "ol7", "rhv4"] %}}
|
|
|
dac76a |
<tt>/etc/default/grub</tt>, so that the line looks similar to
|
|
|
dac76a |
GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."
|
|
|
dac76a |
@@ -19,7 +19,7 @@ description: |-
|
|
|
dac76a |
|
|
|
dac76a |
|
|
|
dac76a |
rationale: |-
|
|
|
dac76a |
- Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
|
|
|
dac76a |
+ Any unnecessary network stacks, including IPv6, should be disabled to reduce
|
|
|
dac76a |
the vulnerability to exploitation.
|
|
|
dac76a |
|
|
|
dac76a |
severity: medium
|
|
|
dac76a |
@@ -36,7 +36,7 @@ ocil_clause: 'IPv6 is not disabled'
|
|
|
dac76a |
|
|
|
dac76a |
ocil: |-
|
|
|
dac76a |
{{% if product in ["rhel7", "ol7", "rhv4"] %}}
|
|
|
dac76a |
- Inspect the form of default GRUB 2 command line for the Linux operating system
|
|
|
dac76a |
+ Inspect the form of default GRUB2 command line for the Linux operating system
|
|
|
dac76a |
in <tt>/etc/default/grub</tt>. If it includes <tt>ipv6.disable=1</tt>, then IPv6
|
|
|
dac76a |
is disabled at boot time.
|
|
|
dac76a |
First check if the GRUB recovery is enabled:
|
|
|
dac76a |
@@ -45,7 +45,7 @@ ocil: |-
|
|
|
dac76a |
$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
|
|
|
dac76a |
If the recovery is disabled, check the line with
|
|
|
dac76a |
$ grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub .
|
|
|
dac76a |
- Moreover, current Grub2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
|
|
|
dac76a |
+ Moreover, current GRUB2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
|
|
|
dac76a |
# grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
|
|
|
dac76a |
This command should not return any output. If it does, update the configuration with
|
|
|
dac76a |
# grub2-mkconfig -o /boot/grub2/grub.cfg
|
|
|
dac76a |
@@ -56,7 +56,7 @@ ocil: |-
|
|
|
dac76a |
$ sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
|
|
|
dac76a |
|
|
|
dac76a |
{{% else %}}
|
|
|
dac76a |
- Inspect the form of default GRUB 2 command line for the Linux operating system
|
|
|
dac76a |
+ Inspect the form of default GRUB2 command line for the Linux operating system
|
|
|
dac76a |
in <tt>/boot/grub2/grubenv</tt>. If they include <tt>ipv6.disable=1</tt>, then IPv6
|
|
|
dac76a |
is disabled at boot time.
|
|
|
dac76a |
# grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv
|
|
|
dac76a |
|
|
|
dac76a |
From 3006d2025e472c2c457f5665ab0096f22e84766c Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Mon, 23 Mar 2020 14:13:15 +0100
|
|
|
dac76a |
Subject: [PATCH 4/5] change severity, reorder prodtypes, and add sudo instead
|
|
|
dac76a |
of root
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../grub2_disable_ipv6/rule.yml | 32 +++++++++----------
|
|
|
dac76a |
1 file changed, 16 insertions(+), 16 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
|
|
|
dac76a |
index 06fd3b2a36..1c6d2388d1 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
|
|
|
dac76a |
@@ -1,6 +1,6 @@
|
|
|
dac76a |
documentation_complete: true
|
|
|
dac76a |
|
|
|
dac76a |
-prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4
|
|
|
dac76a |
+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
|
|
|
dac76a |
|
|
|
dac76a |
title: 'Ensure IPv6 is disabled through kernel boot parameter'
|
|
|
dac76a |
|
|
|
dac76a |
@@ -14,7 +14,7 @@ description: |-
|
|
|
dac76a |
In case the <tt>GRUB_DISABLE_RECOVERY</tt> is set to true, then the parameter should be added to the <tt>GRUB_CMDLINE_LINUX_DEFAULT</tt> instead.
|
|
|
dac76a |
{{% else %}}
|
|
|
dac76a |
<tt>/boot/grub2/grubenv</tt>, in the manner below:
|
|
|
dac76a |
- # grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
|
|
|
dac76a |
+ sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
|
|
|
dac76a |
{{% endif %}}
|
|
|
dac76a |
|
|
|
dac76a |
|
|
|
dac76a |
@@ -22,7 +22,7 @@ rationale: |-
|
|
|
dac76a |
Any unnecessary network stacks, including IPv6, should be disabled to reduce
|
|
|
dac76a |
the vulnerability to exploitation.
|
|
|
dac76a |
|
|
|
dac76a |
-severity: medium
|
|
|
dac76a |
+severity: low
|
|
|
dac76a |
|
|
|
dac76a |
identifiers:
|
|
|
dac76a |
cce@rhel7: 82886-3
|
|
|
dac76a |
@@ -40,31 +40,31 @@ ocil: |-
|
|
|
dac76a |
in <tt>/etc/default/grub</tt>. If it includes <tt>ipv6.disable=1</tt>, then IPv6
|
|
|
dac76a |
is disabled at boot time.
|
|
|
dac76a |
First check if the GRUB recovery is enabled:
|
|
|
dac76a |
- $ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
|
|
|
dac76a |
+ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
|
|
|
dac76a |
If this option is set to true, then check that a line is output by the following command:
|
|
|
dac76a |
- $ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
|
|
|
dac76a |
+ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
|
|
|
dac76a |
If the recovery is disabled, check the line with
|
|
|
dac76a |
- $ grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub .
|
|
|
dac76a |
+ grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub .
|
|
|
dac76a |
Moreover, current GRUB2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
|
|
|
dac76a |
- # grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
|
|
|
dac76a |
+ sudo grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
|
|
|
dac76a |
This command should not return any output. If it does, update the configuration with
|
|
|
dac76a |
- # grub2-mkconfig -o /boot/grub2/grub.cfg
|
|
|
dac76a |
+ sudo grub2-mkconfig -o /boot/grub2/grub.cfg
|
|
|
dac76a |
|
|
|
dac76a |
Alternatively, to ensure <tt>ipv6.disable=1</tt> is configured on all installed kernels, the
|
|
|
dac76a |
following command may be used:
|
|
|
dac76a |
|
|
|
dac76a |
- $ sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
|
|
|
dac76a |
+ sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
|
|
|
dac76a |
|
|
|
dac76a |
{{% else %}}
|
|
|
dac76a |
Inspect the form of default GRUB2 command line for the Linux operating system
|
|
|
dac76a |
in <tt>/boot/grub2/grubenv</tt>. If they include <tt>ipv6.disable=1</tt>, then IPv6
|
|
|
dac76a |
is disabled at boot time.
|
|
|
dac76a |
- # grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv
|
|
|
dac76a |
+ sudo grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv
|
|
|
dac76a |
|
|
|
dac76a |
To ensure <tt>ipv6.disable=1</tt> is configured on all installed kernels, the
|
|
|
dac76a |
following command may be used:
|
|
|
dac76a |
|
|
|
dac76a |
- # grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
|
|
|
dac76a |
+ sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
|
|
|
dac76a |
|
|
|
dac76a |
{{% endif %}}
|
|
|
dac76a |
|
|
|
dac76a |
@@ -77,13 +77,13 @@ warnings:
|
|
|
dac76a |
file. To update the GRUB 2 configuration file manually, use the
|
|
|
dac76a |
grub2-mkconfig -o command as follows:
|
|
|
dac76a |
|
|
|
dac76a |
- On BIOS-based machines, issue the following command as <tt>root</tt>:
|
|
|
dac76a |
- ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
|
|
|
dac76a |
- On UEFI-based machines, issue the following command as <tt>root</tt>:
|
|
|
dac76a |
+ On BIOS-based machines, issue the following command:
|
|
|
dac76a |
+ sudo grub2-mkconfig -o /boot/grub2/grub.cfg
|
|
|
dac76a |
+ On UEFI-based machines, issue the following command:
|
|
|
dac76a |
{{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}}
|
|
|
dac76a |
- ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
|
|
|
dac76a |
+ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
|
|
|
dac76a |
{{% else %}}
|
|
|
dac76a |
- ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
|
|
|
dac76a |
+ sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
|
|
|
dac76a |
{{% endif %}}
|
|
|
dac76a |
|
|
|
dac76a |
|
|
|
dac76a |
|
|
|
dac76a |
From 18529b39aa08084c6a73adec2771b48eac89ce7f Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Wed, 25 Mar 2020 09:54:05 +0100
|
|
|
dac76a |
Subject: [PATCH 5/5] make description and ocil clearer
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../grub2_disable_ipv6/rule.yml | 19 +++++++++----------
|
|
|
dac76a |
1 file changed, 9 insertions(+), 10 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
|
|
|
dac76a |
index 1c6d2388d1..e128654204 100644
|
|
|
dac76a |
--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
|
|
|
dac76a |
@@ -12,6 +12,10 @@ description: |-
|
|
|
dac76a |
<tt>/etc/default/grub</tt>, so that the line looks similar to
|
|
|
dac76a |
GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."
|
|
|
dac76a |
In case the <tt>GRUB_DISABLE_RECOVERY</tt> is set to true, then the parameter should be added to the <tt>GRUB_CMDLINE_LINUX_DEFAULT</tt> instead.
|
|
|
dac76a |
+ Run one of following command to ensure that the configuration is applied when booting currently installed kernels:
|
|
|
dac76a |
+ sudo grub2-mkconfig -o /boot/grub2/grub.cfg
|
|
|
dac76a |
+ or
|
|
|
dac76a |
+ sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
|
|
|
dac76a |
{{% else %}}
|
|
|
dac76a |
<tt>/boot/grub2/grubenv</tt>, in the manner below:
|
|
|
dac76a |
sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
|
|
|
dac76a |
@@ -37,28 +41,23 @@ ocil_clause: 'IPv6 is not disabled'
|
|
|
dac76a |
ocil: |-
|
|
|
dac76a |
{{% if product in ["rhel7", "ol7", "rhv4"] %}}
|
|
|
dac76a |
Inspect the form of default GRUB2 command line for the Linux operating system
|
|
|
dac76a |
- in <tt>/etc/default/grub</tt>. If it includes <tt>ipv6.disable=1</tt>, then IPv6
|
|
|
dac76a |
- is disabled at boot time.
|
|
|
dac76a |
+ in <tt>/etc/default/grub</tt>. Check if it includes <tt>ipv6.disable=1</tt>.
|
|
|
dac76a |
First check if the GRUB recovery is enabled:
|
|
|
dac76a |
grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
|
|
|
dac76a |
- If this option is set to true, then check that a line is output by the following command:
|
|
|
dac76a |
+ If this option is set to true, then check that the following line is output by the following command:
|
|
|
dac76a |
grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
|
|
|
dac76a |
If the recovery is disabled, check the line with
|
|
|
dac76a |
grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub .
|
|
|
dac76a |
Moreover, current GRUB2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
|
|
|
dac76a |
sudo grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
|
|
|
dac76a |
- This command should not return any output. If it does, update the configuration with
|
|
|
dac76a |
+ This command should not return any output. If it does, update the configuration with one of following commands:
|
|
|
dac76a |
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
|
|
|
dac76a |
-
|
|
|
dac76a |
- Alternatively, to ensure <tt>ipv6.disable=1</tt> is configured on all installed kernels, the
|
|
|
dac76a |
- following command may be used:
|
|
|
dac76a |
-
|
|
|
dac76a |
+ or
|
|
|
dac76a |
sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
|
|
|
dac76a |
|
|
|
dac76a |
{{% else %}}
|
|
|
dac76a |
Inspect the form of default GRUB2 command line for the Linux operating system
|
|
|
dac76a |
- in <tt>/boot/grub2/grubenv</tt>. If they include <tt>ipv6.disable=1</tt>, then IPv6
|
|
|
dac76a |
- is disabled at boot time.
|
|
|
dac76a |
+ in <tt>/boot/grub2/grubenv</tt>. Check if it includes <tt>ipv6.disable=1</tt>.
|
|
|
dac76a |
sudo grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv
|
|
|
dac76a |
|
|
|
dac76a |
To ensure <tt>ipv6.disable=1</tt> is configured on all installed kernels, the
|