From 0f919eef79444dfbbf105d58258f4935596d617d Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 20 Mar 2020 11:15:10 +0100
Subject: [PATCH 1/5] add rule
---
.../grub2_disable_ipv6/rule.yml | 94 +++++++++++++++++++
2 files changed, 94 insertions(+), 2 deletions(-)
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
new file mode 100644
index 0000000000..ab3137e57e
--- /dev/null
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
@@ -0,0 +1,94 @@
+documentation_complete: true
+
+prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4
+
+title: 'Ensure IPv6 is disabled through kernel boot parameter'
+
+description: |-
+ To disable IPv6 protocol support in the Linux kernel,
+ add the argument <tt>ipv6.disable=1</tt> to the default
+ GRUB 2 command line for the Linux operating system in
+{{% if product in ["rhel7", "ol7", "rhv4"] %}}
+ <tt>/etc/default/grub</tt>, so that the line looks similar to
+ <pre>GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."</pre>
+ In case the <tt>GRUB_DISABLE_RECOVERY</tt> is set to true, then the parameter should be added to the <tt>GRUB_CMDLINE_LINUX_DEFAULT</tt> instead.
+{{% else %}}
+ <tt>/boot/grub2/grubenv</tt>, in the manner below:
+ <pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"</pre>
+{{% endif %}}
+
+
+rationale: |-
+ Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
+ the vulnerability to exploitation.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 82886-3
+ cce@rhel8: 82887-1
+
+references:
+ cis@rhel7: 3.3.3
+ cis@rhel8: "3.6"
+
+ocil_clause: 'IPv6 is not disabled'
+
+ocil: |-
+ {{% if product in ["rhel7", "ol7", "rhv4"] %}}
+ Inspect the form of default GRUB 2 command line for the Linux operating system
+ in <tt>/etc/default/grub</tt>. If it includes <tt>ipv6.disable=1</tt>, then IPv6
+ is disabled at boot time.
+ First check if the GRUB recovery is enabled:
+ <pre>$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
+ If this option is set to true, then check that a line is output by the following command:
+ <pre>$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub</pre>
+ If the recovery is disabled, check the line with
+ <pre>$ grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub</pre>.
+ Moreover, current Grub2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
+ <pre># grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'</pre>
+ This command should not return any output. If it does, update the configuration with
+ <pre># grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+ <br /><br />
+ Alternatively, to ensure <tt>ipv6.disable=1</tt> is configured on all installed kernels, the
+ following command may be used:
+ <br />
+ <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"</pre>
+ <br />
+{{% else %}}
+ Inspect the form of default GRUB 2 command line for the Linux operating system
+ in <tt>/boot/grub2/grubenv</tt>. If they include <tt>ipv6.disable=1</tt>, then IPv6
+ is disabled at boot time.
+ <pre># grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv</pre>
+ <br /><br />
+ To ensure <tt>ipv6.disable=1</tt> is configured on all installed kernels, the
+ following command may be used:
+ <br />
+ <pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"</pre>
+ <br />
+{{% endif %}}
+
+
+warnings:
+ - management: |-
+ The GRUB 2 configuration file, <tt>grub.cfg</tt>,
+ is automatically updated each time a new kernel is installed. Note that any
+ changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
+ file. To update the GRUB 2 configuration file manually, use the
+ <pre>grub2-mkconfig -o</pre> command as follows:
+ <ul>
+ <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
+ <pre>~]# grub2-mkconfig -o /boot/grub2/grub.cfg</pre></li>
+ <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
+{{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}}
+ <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
+{{% else %}}
+ <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
+{{% endif %}}
+ </ul>
+
+template:
+ name: grub2_bootloader_argument
+ vars:
+ arg_name: ipv6.disable
+ arg_value: '1'
From 847faabaa90a70a4c1c4c896c287f8f05b40579c Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 20 Mar 2020 15:06:45 +0100
Subject: [PATCH 2/5] add rule to rhel7 and rhel8 cis
---
rhel7/profiles/cis.profile | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index b66594f594..88b27c7a71 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -350,6 +350,7 @@ selections:
- sysctl_net_ipv6_conf_default_accept_redirects
### 3.3.3 Ensure IPv6 is disabled (Not Scored)
+ - grub2_disable_ipv6
## 3.4 TCP Wrappers
### 3.4.1 Ensure TCP Wrappers is installed (Scored)
From 95e501a09061ade19d5c6363967bc48a5e28ef41 Mon Sep 17 00:00:00 2001
From: vojtapolasek <krecoun@gmail.com>
Date: Mon, 23 Mar 2020 08:49:06 +0100
Subject: [PATCH 3/5] fix wording in rule.yml
Co-Authored-By: Shawn Wells <shawn@redhat.com>
---
.../disabling_ipv6/grub2_disable_ipv6/rule.yml | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
index ab3137e57e..06fd3b2a36 100644
--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
@@ -7,7 +7,7 @@ title: 'Ensure IPv6 is disabled through kernel boot parameter'
description: |-
To disable IPv6 protocol support in the Linux kernel,
add the argument <tt>ipv6.disable=1</tt> to the default
- GRUB 2 command line for the Linux operating system in
+ GRUB2 command line for the Linux operating system in
{{% if product in ["rhel7", "ol7", "rhv4"] %}}
<tt>/etc/default/grub</tt>, so that the line looks similar to
<pre>GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."</pre>
@@ -19,7 +19,7 @@ description: |-
rationale: |-
- Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
+ Any unnecessary network stacks, including IPv6, should be disabled to reduce
the vulnerability to exploitation.
severity: medium
@@ -36,7 +36,7 @@ ocil_clause: 'IPv6 is not disabled'
ocil: |-
{{% if product in ["rhel7", "ol7", "rhv4"] %}}
- Inspect the form of default GRUB 2 command line for the Linux operating system
+ Inspect the form of default GRUB2 command line for the Linux operating system
in <tt>/etc/default/grub</tt>. If it includes <tt>ipv6.disable=1</tt>, then IPv6
is disabled at boot time.
First check if the GRUB recovery is enabled:
@@ -45,7 +45,7 @@ ocil: |-
<pre>$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub</pre>
If the recovery is disabled, check the line with
<pre>$ grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub</pre>.
- Moreover, current Grub2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
+ Moreover, current GRUB2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
<pre># grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'</pre>
This command should not return any output. If it does, update the configuration with
<pre># grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
@@ -56,7 +56,7 @@ ocil: |-
<pre>$ sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"</pre>
<br />
{{% else %}}
- Inspect the form of default GRUB 2 command line for the Linux operating system
+ Inspect the form of default GRUB2 command line for the Linux operating system
in <tt>/boot/grub2/grubenv</tt>. If they include <tt>ipv6.disable=1</tt>, then IPv6
is disabled at boot time.
<pre># grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv</pre>
From 3006d2025e472c2c457f5665ab0096f22e84766c Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 23 Mar 2020 14:13:15 +0100
Subject: [PATCH 4/5] change severity, reorder prodtypes, and add sudo instead
of root
---
.../grub2_disable_ipv6/rule.yml | 32 +++++++++----------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
index 06fd3b2a36..1c6d2388d1 100644
--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4
+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
title: 'Ensure IPv6 is disabled through kernel boot parameter'
@@ -14,7 +14,7 @@ description: |-
In case the <tt>GRUB_DISABLE_RECOVERY</tt> is set to true, then the parameter should be added to the <tt>GRUB_CMDLINE_LINUX_DEFAULT</tt> instead.
{{% else %}}
<tt>/boot/grub2/grubenv</tt>, in the manner below:
- <pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"</pre>
+ <pre>sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"</pre>
{{% endif %}}
@@ -22,7 +22,7 @@ rationale: |-
Any unnecessary network stacks, including IPv6, should be disabled to reduce
the vulnerability to exploitation.
-severity: medium
+severity: low
identifiers:
cce@rhel7: 82886-3
@@ -40,31 +40,31 @@ ocil: |-
in <tt>/etc/default/grub</tt>. If it includes <tt>ipv6.disable=1</tt>, then IPv6
is disabled at boot time.
First check if the GRUB recovery is enabled:
- <pre>$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
+ <pre>grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
If this option is set to true, then check that a line is output by the following command:
- <pre>$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub</pre>
+ <pre>grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub</pre>
If the recovery is disabled, check the line with
- <pre>$ grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub</pre>.
+ <pre>grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub</pre>.
Moreover, current GRUB2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
- <pre># grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'</pre>
+ <pre>sudo grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'</pre>
This command should not return any output. If it does, update the configuration with
- <pre># grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+ <pre>sudo grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
<br /><br />
Alternatively, to ensure <tt>ipv6.disable=1</tt> is configured on all installed kernels, the
following command may be used:
<br />
- <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"</pre>
+ <pre>sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"</pre>
<br />
{{% else %}}
Inspect the form of default GRUB2 command line for the Linux operating system
in <tt>/boot/grub2/grubenv</tt>. If they include <tt>ipv6.disable=1</tt>, then IPv6
is disabled at boot time.
- <pre># grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv</pre>
+ <pre>sudo grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv</pre>
<br /><br />
To ensure <tt>ipv6.disable=1</tt> is configured on all installed kernels, the
following command may be used:
<br />
- <pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"</pre>
+ <pre>sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"</pre>
<br />
{{% endif %}}
@@ -77,13 +77,13 @@ warnings:
file. To update the GRUB 2 configuration file manually, use the
<pre>grub2-mkconfig -o</pre> command as follows:
<ul>
- <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
- <pre>~]# grub2-mkconfig -o /boot/grub2/grub.cfg</pre></li>
- <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
+ <li>On BIOS-based machines, issue the following command:
+ <pre>sudo grub2-mkconfig -o /boot/grub2/grub.cfg</pre></li>
+ <li>On UEFI-based machines, issue the following command:
{{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}}
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
+ <pre>sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
{{% else %}}
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
+ <pre>sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
{{% endif %}}
</ul>
From 18529b39aa08084c6a73adec2771b48eac89ce7f Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 25 Mar 2020 09:54:05 +0100
Subject: [PATCH 5/5] make description and ocil clearer
---
.../grub2_disable_ipv6/rule.yml | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
index 1c6d2388d1..e128654204 100644
--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
@@ -12,6 +12,10 @@ description: |-
<tt>/etc/default/grub</tt>, so that the line looks similar to
<pre>GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."</pre>
In case the <tt>GRUB_DISABLE_RECOVERY</tt> is set to true, then the parameter should be added to the <tt>GRUB_CMDLINE_LINUX_DEFAULT</tt> instead.
+ Run one of following command to ensure that the configuration is applied when booting currently installed kernels:
+ <pre>sudo grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+ or
+ <pre>sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"</pre>
{{% else %}}
<tt>/boot/grub2/grubenv</tt>, in the manner below:
<pre>sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"</pre>
@@ -37,28 +41,23 @@ ocil_clause: 'IPv6 is not disabled'
ocil: |-
{{% if product in ["rhel7", "ol7", "rhv4"] %}}
Inspect the form of default GRUB2 command line for the Linux operating system
- in <tt>/etc/default/grub</tt>. If it includes <tt>ipv6.disable=1</tt>, then IPv6
- is disabled at boot time.
+ in <tt>/etc/default/grub</tt>. Check if it includes <tt>ipv6.disable=1</tt>.
First check if the GRUB recovery is enabled:
<pre>grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
- If this option is set to true, then check that a line is output by the following command:
+ If this option is set to true, then check that the following line is output by the following command:
<pre>grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub</pre>
If the recovery is disabled, check the line with
<pre>grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub</pre>.
Moreover, current GRUB2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
<pre>sudo grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'</pre>
- This command should not return any output. If it does, update the configuration with
+ This command should not return any output. If it does, update the configuration with one of following commands:
<pre>sudo grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
- <br /><br />
- Alternatively, to ensure <tt>ipv6.disable=1</tt> is configured on all installed kernels, the
- following command may be used:
- <br />
+ or
<pre>sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"</pre>
<br />
{{% else %}}
Inspect the form of default GRUB2 command line for the Linux operating system
- in <tt>/boot/grub2/grubenv</tt>. If they include <tt>ipv6.disable=1</tt>, then IPv6
- is disabled at boot time.
+ in <tt>/boot/grub2/grubenv</tt>. Check if it includes <tt>ipv6.disable=1</tt>.
<pre>sudo grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv</pre>
<br /><br />
To ensure <tt>ipv6.disable=1</tt> is configured on all installed kernels, the