rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   f386a06e0d646a34f3288c8582fe73c59d47bf2a
  2.   SOURCES
  3.   scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch
Blob Blame History Raw 
From 26ca545c89207d2ac2ba2fb68824c1c323fece79 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 3 Aug 2022 07:44:35 -0500
Subject: [PATCH 4/8] Merge pull request #9277 from
 yuumasato/new_sysctl_ipv4_forwarding_rule

Patch-name: scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch
Patch-status: New sysctl ipv4 forwarding rule
---
 .../rule.yml                                  | 44 +++++++++++++++++++
 ...ctl_net_ipv4_conf_all_forwarding_value.var | 17 +++++++
 .../sysctl_net_ipv4_ip_forward/rule.yml       |  1 -
 products/rhel8/profiles/stig.profile          |  2 +-
 shared/references/cce-redhat-avail.txt        |  1 -
 .../data/profile_stability/rhel8/stig.profile |  4 +-
 .../profile_stability/rhel8/stig_gui.profile  |  2 +-
 7 files changed, 65 insertions(+), 6 deletions(-)
 create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
 create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var

diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
new file mode 100644
index 0000000000..7b0066f7c2
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
@@ -0,0 +1,44 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces'
+
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}'
+
+rationale: |-
+    IP forwarding permits the kernel to forward packets from one network
+    interface to another. The ability to forward packets between two networks is
+    only appropriate for systems acting as routers.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86220-1
+
+references:
+    disa: CCI-000366
+    nist: CM-6(b)
+    srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel8: RHEL-08-040259
+
+ocil_clause: 'IP forwarding value is "1" and the system is not router'
+
+ocil: |-
+    {{{ ocil_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}
+    The ability to forward packets is only appropriate for routers.
+
+fixtext: |-
+    Configure {{{ full_name }}} to not allow packet forwarding unless the system is a router with the following commands:
+    {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.forwarding", value="0") | indent(4) }}}
+
+srg_requirement: '{{{ full_name }}} must not perform packet forwarding unless the system is a router.'
+
+platform: machine
+
+template:
+    name: sysctl
+    vars:
+        sysctlvar: net.ipv4.conf.all.forwarding
+        datatype: int
+
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
new file mode 100644
index 0000000000..2aedd6e643
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: net.ipv4.conf.all.forwarding
+
+description: 'Toggle IPv4 Forwarding'
+
+type: number
+
+operator: equals
+
+interactive: false
+
+options:
+    default: "0"
+    disabled: "0"
+    enabled: 1
+
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
index 5c449db7f3..7acfc0b05b 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
@@ -45,7 +45,6 @@ references:
     stigid@ol7: OL07-00-040740
     stigid@ol8: OL08-00-040260
     stigid@rhel7: RHEL-07-040740
-    stigid@rhel8: RHEL-08-040259
     stigid@sle12: SLES-12-030430
     stigid@sle15: SLES-15-040380
 
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 4b480bd2c1..6b44436a2b 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -1127,7 +1127,7 @@ selections:
     - sysctl_net_ipv6_conf_default_accept_source_route
 
     # RHEL-08-040259
-    - sysctl_net_ipv4_ip_forward
+    - sysctl_net_ipv4_conf_all_forwarding
 
     # RHEL-08-040260
     - sysctl_net_ipv6_conf_all_forwarding
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index a613a152ae..9480db3eae 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -176,7 +176,6 @@ CCE-86216-9
 CCE-86217-7
 CCE-86218-5
 CCE-86219-3
-CCE-86220-1
 CCE-86221-9
 CCE-86222-7
 CCE-86223-5
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 4bee72830d..47f53a9d02 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -1,7 +1,7 @@
 title: DISA STIG for Red Hat Enterprise Linux 8
 description: 'This profile contains configuration checks that align to the
 
-    DISA STIG for Red Hat Enterprise Linux 8 V1R7
+    DISA STIG for Red Hat Enterprise Linux 8 V1R7.
 
 
     In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
@@ -395,13 +395,13 @@ selections:
 - sysctl_net_core_bpf_jit_harden
 - sysctl_net_ipv4_conf_all_accept_redirects
 - sysctl_net_ipv4_conf_all_accept_source_route
+- sysctl_net_ipv4_conf_all_forwarding
 - sysctl_net_ipv4_conf_all_rp_filter
 - sysctl_net_ipv4_conf_all_send_redirects
 - sysctl_net_ipv4_conf_default_accept_redirects
 - sysctl_net_ipv4_conf_default_accept_source_route
 - sysctl_net_ipv4_conf_default_send_redirects
 - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-- sysctl_net_ipv4_ip_forward
 - sysctl_net_ipv6_conf_all_accept_ra
 - sysctl_net_ipv6_conf_all_accept_redirects
 - sysctl_net_ipv6_conf_all_accept_source_route
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index ece32d06a6..c4e60ddcde 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -405,13 +405,13 @@ selections:
 - sysctl_net_core_bpf_jit_harden
 - sysctl_net_ipv4_conf_all_accept_redirects
 - sysctl_net_ipv4_conf_all_accept_source_route
+- sysctl_net_ipv4_conf_all_forwarding
 - sysctl_net_ipv4_conf_all_rp_filter
 - sysctl_net_ipv4_conf_all_send_redirects
 - sysctl_net_ipv4_conf_default_accept_redirects
 - sysctl_net_ipv4_conf_default_accept_source_route
 - sysctl_net_ipv4_conf_default_send_redirects
 - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-- sysctl_net_ipv4_ip_forward
 - sysctl_net_ipv6_conf_all_accept_ra
 - sysctl_net_ipv6_conf_all_accept_redirects
 - sysctl_net_ipv6_conf_all_accept_source_route
-- 
2.37.1

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation