|
 |
792d3d |
From 82012a2c80e0f0bed75586b7d93570db2121962e Mon Sep 17 00:00:00 2001
|
|
|
792d3d |
From: Watson Sato <wsato@redhat.com>
|
|
|
792d3d |
Date: Mon, 1 Aug 2022 17:50:37 +0200
|
|
|
792d3d |
Subject: [PATCH 1/2] Add rule for sysctl net.ipv4.conf.all.forwarding
|
|
|
792d3d |
|
|
|
792d3d |
This is rule is similar to sysctl_net_ipv6_conf_all_forwarding and
|
|
|
792d3d |
sysctl_net_ipv4_forward.
|
|
|
792d3d |
---
|
|
|
792d3d |
.../rule.yml | 44 +++++++++++++++++++
|
|
|
792d3d |
...ctl_net_ipv4_conf_all_forwarding_value.var | 17 +++++++
|
|
|
792d3d |
shared/references/cce-redhat-avail.txt | 1 -
|
|
|
792d3d |
3 files changed, 61 insertions(+), 1 deletion(-)
|
|
|
792d3d |
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
|
|
|
792d3d |
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
|
|
|
792d3d |
|
|
|
792d3d |
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
|
|
|
792d3d |
new file mode 100644
|
|
|
792d3d |
index 00000000000..7b0066f7c29
|
|
|
792d3d |
--- /dev/null
|
|
|
792d3d |
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
|
|
|
792d3d |
@@ -0,0 +1,44 @@
|
|
|
792d3d |
+documentation_complete: true
|
|
|
792d3d |
+
|
|
|
792d3d |
+prodtype: rhel8
|
|
|
792d3d |
+
|
|
|
792d3d |
+title: 'Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces'
|
|
|
792d3d |
+
|
|
|
792d3d |
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}'
|
|
|
792d3d |
+
|
|
|
792d3d |
+rationale: |-
|
|
|
792d3d |
+ IP forwarding permits the kernel to forward packets from one network
|
|
|
792d3d |
+ interface to another. The ability to forward packets between two networks is
|
|
|
792d3d |
+ only appropriate for systems acting as routers.
|
|
|
792d3d |
+
|
|
|
792d3d |
+severity: medium
|
|
|
792d3d |
+
|
|
|
792d3d |
+identifiers:
|
|
|
792d3d |
+ cce@rhel8: CCE-86220-1
|
|
|
792d3d |
+
|
|
|
792d3d |
+references:
|
|
|
792d3d |
+ disa: CCI-000366
|
|
|
792d3d |
+ nist: CM-6(b)
|
|
|
792d3d |
+ srg: SRG-OS-000480-GPOS-00227
|
|
|
792d3d |
+ stigid@rhel8: RHEL-08-040259
|
|
|
792d3d |
+
|
|
|
792d3d |
+ocil_clause: 'IP forwarding value is "1" and the system is not router'
|
|
|
792d3d |
+
|
|
|
792d3d |
+ocil: |-
|
|
|
792d3d |
+ {{{ ocil_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}
|
|
|
792d3d |
+ The ability to forward packets is only appropriate for routers.
|
|
|
792d3d |
+
|
|
|
792d3d |
+fixtext: |-
|
|
|
792d3d |
+ Configure {{{ full_name }}} to not allow packet forwarding unless the system is a router with the following commands:
|
|
|
792d3d |
+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.forwarding", value="0") | indent(4) }}}
|
|
|
792d3d |
+
|
|
|
792d3d |
+srg_requirement: '{{{ full_name }}} must not perform packet forwarding unless the system is a router.'
|
|
|
792d3d |
+
|
|
|
792d3d |
+platform: machine
|
|
|
792d3d |
+
|
|
|
792d3d |
+template:
|
|
|
792d3d |
+ name: sysctl
|
|
|
792d3d |
+ vars:
|
|
|
792d3d |
+ sysctlvar: net.ipv4.conf.all.forwarding
|
|
|
792d3d |
+ datatype: int
|
|
|
792d3d |
+
|
|
|
792d3d |
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
|
|
|
792d3d |
new file mode 100644
|
|
|
792d3d |
index 00000000000..2aedd6e6432
|
|
|
792d3d |
--- /dev/null
|
|
|
792d3d |
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
|
|
|
792d3d |
@@ -0,0 +1,17 @@
|
|
|
792d3d |
+documentation_complete: true
|
|
|
792d3d |
+
|
|
|
792d3d |
+title: net.ipv4.conf.all.forwarding
|
|
|
792d3d |
+
|
|
|
792d3d |
+description: 'Toggle IPv4 Forwarding'
|
|
|
792d3d |
+
|
|
|
792d3d |
+type: number
|
|
|
792d3d |
+
|
|
|
792d3d |
+operator: equals
|
|
|
792d3d |
+
|
|
|
792d3d |
+interactive: false
|
|
|
792d3d |
+
|
|
|
792d3d |
+options:
|
|
|
792d3d |
+ default: "0"
|
|
|
792d3d |
+ disabled: "0"
|
|
|
792d3d |
+ enabled: 1
|
|
|
792d3d |
+
|
|
|
792d3d |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
792d3d |
index 914233f06bf..3e14b73dd71 100644
|
|
|
792d3d |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
792d3d |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
792d3d |
@@ -168,7 +168,6 @@ CCE-86216-9
|
|
|
792d3d |
CCE-86217-7
|
|
|
792d3d |
CCE-86218-5
|
|
|
792d3d |
CCE-86219-3
|
|
|
792d3d |
-CCE-86220-1
|
|
|
792d3d |
CCE-86221-9
|
|
|
792d3d |
CCE-86222-7
|
|
|
792d3d |
CCE-86223-5
|
|
|
792d3d |
|
|
|
792d3d |
From 0e2be2dfb7c185ac15e69e110c2e7a76f6896df7 Mon Sep 17 00:00:00 2001
|
|
|
792d3d |
From: Watson Sato <wsato@redhat.com>
|
|
|
792d3d |
Date: Mon, 1 Aug 2022 17:53:32 +0200
|
|
|
792d3d |
Subject: [PATCH 2/2] Better align with RHEL-08-040259
|
|
|
792d3d |
|
|
|
792d3d |
The item is about net.ipv4.conf.all.forwarding
|
|
|
792d3d |
The update to V1R7 made brought this misalignment to light.
|
|
|
792d3d |
---
|
|
|
792d3d |
.../sysctl_net_ipv4_ip_forward/rule.yml | 1 -
|
|
|
792d3d |
products/rhel8/profiles/stig.profile | 2 +-
|
|
|
792d3d |
tests/data/profile_stability/rhel8/stig.profile | 4 ++--
|
|
|
792d3d |
tests/data/profile_stability/rhel8/stig_gui.profile | 2 +-
|
|
|
792d3d |
4 files changed, 4 insertions(+), 5 deletions(-)
|
|
|
792d3d |
|
|
|
792d3d |
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
|
|
792d3d |
index 5c449db7f3a..7acfc0b05b6 100644
|
|
|
792d3d |
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
|
|
792d3d |
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
|
|
792d3d |
@@ -45,7 +45,6 @@ references:
|
|
|
792d3d |
stigid@ol7: OL07-00-040740
|
|
|
792d3d |
stigid@ol8: OL08-00-040260
|
|
|
792d3d |
stigid@rhel7: RHEL-07-040740
|
|
|
792d3d |
- stigid@rhel8: RHEL-08-040259
|
|
|
792d3d |
stigid@sle12: SLES-12-030430
|
|
|
792d3d |
stigid@sle15: SLES-15-040380
|
|
|
792d3d |
|
|
|
792d3d |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
792d3d |
index 4b480bd2c11..6b44436a2b1 100644
|
|
|
792d3d |
--- a/products/rhel8/profiles/stig.profile
|
|
|
792d3d |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
792d3d |
@@ -1127,7 +1127,7 @@ selections:
|
|
|
792d3d |
- sysctl_net_ipv6_conf_default_accept_source_route
|
|
|
792d3d |
|
|
|
792d3d |
# RHEL-08-040259
|
|
|
792d3d |
- - sysctl_net_ipv4_ip_forward
|
|
|
792d3d |
+ - sysctl_net_ipv4_conf_all_forwarding
|
|
|
792d3d |
|
|
|
792d3d |
# RHEL-08-040260
|
|
|
792d3d |
- sysctl_net_ipv6_conf_all_forwarding
|
|
|
792d3d |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
792d3d |
index 4bee72830d0..47f53a9d023 100644
|
|
|
792d3d |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
792d3d |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
792d3d |
@@ -1,7 +1,7 @@
|
|
|
792d3d |
title: DISA STIG for Red Hat Enterprise Linux 8
|
|
|
792d3d |
description: 'This profile contains configuration checks that align to the
|
|
|
792d3d |
|
|
|
792d3d |
- DISA STIG for Red Hat Enterprise Linux 8 V1R7
|
|
|
792d3d |
+ DISA STIG for Red Hat Enterprise Linux 8 V1R7.
|
|
|
792d3d |
|
|
|
792d3d |
|
|
|
792d3d |
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
|
|
|
792d3d |
@@ -395,13 +395,13 @@ selections:
|
|
|
792d3d |
- sysctl_net_core_bpf_jit_harden
|
|
|
792d3d |
- sysctl_net_ipv4_conf_all_accept_redirects
|
|
|
792d3d |
- sysctl_net_ipv4_conf_all_accept_source_route
|
|
|
792d3d |
+- sysctl_net_ipv4_conf_all_forwarding
|
|
|
792d3d |
- sysctl_net_ipv4_conf_all_rp_filter
|
|
|
792d3d |
- sysctl_net_ipv4_conf_all_send_redirects
|
|
|
792d3d |
- sysctl_net_ipv4_conf_default_accept_redirects
|
|
|
792d3d |
- sysctl_net_ipv4_conf_default_accept_source_route
|
|
|
792d3d |
- sysctl_net_ipv4_conf_default_send_redirects
|
|
|
792d3d |
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
|
|
792d3d |
-- sysctl_net_ipv4_ip_forward
|
|
|
792d3d |
- sysctl_net_ipv6_conf_all_accept_ra
|
|
|
792d3d |
- sysctl_net_ipv6_conf_all_accept_redirects
|
|
|
792d3d |
- sysctl_net_ipv6_conf_all_accept_source_route
|
|
|
792d3d |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
792d3d |
index ece32d06a6f..c4e60ddcde5 100644
|
|
|
792d3d |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
792d3d |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
792d3d |
@@ -405,13 +405,13 @@ selections:
|
|
|
792d3d |
- sysctl_net_core_bpf_jit_harden
|
|
|
792d3d |
- sysctl_net_ipv4_conf_all_accept_redirects
|
|
|
792d3d |
- sysctl_net_ipv4_conf_all_accept_source_route
|
|
|
792d3d |
+- sysctl_net_ipv4_conf_all_forwarding
|
|
|
792d3d |
- sysctl_net_ipv4_conf_all_rp_filter
|
|
|
792d3d |
- sysctl_net_ipv4_conf_all_send_redirects
|
|
|
792d3d |
- sysctl_net_ipv4_conf_default_accept_redirects
|
|
|
792d3d |
- sysctl_net_ipv4_conf_default_accept_source_route
|
|
|
792d3d |
- sysctl_net_ipv4_conf_default_send_redirects
|
|
|
792d3d |
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
|
|
792d3d |
-- sysctl_net_ipv4_ip_forward
|
|
|
792d3d |
- sysctl_net_ipv6_conf_all_accept_ra
|
|
|
792d3d |
- sysctl_net_ipv6_conf_all_accept_redirects
|
|
|
792d3d |
- sysctl_net_ipv6_conf_all_accept_source_route
|