From 0f919eef79444dfbbf105d58258f4935596d617d Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 20 Mar 2020 11:15:10 +0100 Subject: [PATCH 1/5] add rule --- .../grub2_disable_ipv6/rule.yml | 94 +++++++++++++++++++ 2 files changed, 94 insertions(+), 2 deletions(-) create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml new file mode 100644 index 0000000000..ab3137e57e --- /dev/null +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml @@ -0,0 +1,94 @@ +documentation_complete: true + +prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4 + +title: 'Ensure IPv6 is disabled through kernel boot parameter' + +description: |- + To disable IPv6 protocol support in the Linux kernel, + add the argument ipv6.disable=1 to the default + GRUB 2 command line for the Linux operating system in +{{% if product in ["rhel7", "ol7", "rhv4"] %}} + /etc/default/grub, so that the line looks similar to + 
GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."
+ In case the GRUB_DISABLE_RECOVERY is set to true, then the parameter should be added to the GRUB_CMDLINE_LINUX_DEFAULT instead. +{{% else %}} + /boot/grub2/grubenv, in the manner below: + 
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
+{{% endif %}} + + +rationale: |- + Any unnecessary network stacks - including IPv6 - should be disabled, to reduce + the vulnerability to exploitation. + +severity: medium + +identifiers: + cce@rhel7: 82886-3 + cce@rhel8: 82887-1 + +references: + cis@rhel7: 3.3.3 + cis@rhel8: "3.6" + +ocil_clause: 'IPv6 is not disabled' + +ocil: |- + {{% if product in ["rhel7", "ol7", "rhv4"] %}} + Inspect the form of default GRUB 2 command line for the Linux operating system + in /etc/default/grub. If it includes ipv6.disable=1, then IPv6 + is disabled at boot time. + First check if the GRUB recovery is enabled: + 
$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+ If this option is set to true, then check that a line is output by the following command: + 
$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
+ If the recovery is disabled, check the line with + 
$ grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub
. + Moreover, current Grub2 config file in /etc/grub2/grub.cfg must be checked. + 
# grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
+ This command should not return any output. If it does, update the configuration with + 
# grub2-mkconfig -o /boot/grub2/grub.cfg
+

+ Alternatively, to ensure ipv6.disable=1 is configured on all installed kernels, the + following command may be used: +
+ 
$ sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
+
+{{% else %}} + Inspect the form of default GRUB 2 command line for the Linux operating system + in /boot/grub2/grubenv. If they include ipv6.disable=1, then IPv6 + is disabled at boot time. + 
# grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv
+

+ To ensure ipv6.disable=1 is configured on all installed kernels, the + following command may be used: +
+ 
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
+
+{{% endif %}} + + +warnings: + - management: |- + The GRUB 2 configuration file, grub.cfg, + is automatically updated each time a new kernel is installed. Note that any + changes to /etc/default/grub require rebuilding the grub.cfg + file. To update the GRUB 2 configuration file manually, use the + 
grub2-mkconfig -o
command as follows: + + +template: + name: grub2_bootloader_argument + vars: + arg_name: ipv6.disable + arg_value: '1' From 847faabaa90a70a4c1c4c896c287f8f05b40579c Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 20 Mar 2020 15:06:45 +0100 Subject: [PATCH 2/5] add rule to rhel7 and rhel8 cis --- rhel7/profiles/cis.profile | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile index b66594f594..88b27c7a71 100644 --- a/rhel7/profiles/cis.profile +++ b/rhel7/profiles/cis.profile @@ -350,6 +350,7 @@ selections: - sysctl_net_ipv6_conf_default_accept_redirects ### 3.3.3 Ensure IPv6 is disabled (Not Scored) + - grub2_disable_ipv6 ## 3.4 TCP Wrappers ### 3.4.1 Ensure TCP Wrappers is installed (Scored) From 95e501a09061ade19d5c6363967bc48a5e28ef41 Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Mon, 23 Mar 2020 08:49:06 +0100 Subject: [PATCH 3/5] fix wording in rule.yml Co-Authored-By: Shawn Wells --- .../disabling_ipv6/grub2_disable_ipv6/rule.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml index ab3137e57e..06fd3b2a36 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml @@ -7,7 +7,7 @@ title: 'Ensure IPv6 is disabled through kernel boot parameter' description: |- To disable IPv6 protocol support in the Linux kernel, add the argument ipv6.disable=1 to the default - GRUB 2 command line for the Linux operating system in + GRUB2 command line for the Linux operating system in {{% if product in ["rhel7", "ol7", "rhv4"] %}} /etc/default/grub, so that the line looks similar to 
GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."
@@ -19,7 +19,7 @@ description: |- rationale: |- - Any unnecessary network stacks - including IPv6 - should be disabled, to reduce + Any unnecessary network stacks, including IPv6, should be disabled to reduce the vulnerability to exploitation. severity: medium @@ -36,7 +36,7 @@ ocil_clause: 'IPv6 is not disabled' ocil: |- {{% if product in ["rhel7", "ol7", "rhv4"] %}} - Inspect the form of default GRUB 2 command line for the Linux operating system + Inspect the form of default GRUB2 command line for the Linux operating system in /etc/default/grub. If it includes ipv6.disable=1, then IPv6 is disabled at boot time. First check if the GRUB recovery is enabled: @@ -45,7 +45,7 @@ ocil: |- 
$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
If the recovery is disabled, check the line with 
$ grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub
. - Moreover, current Grub2 config file in /etc/grub2/grub.cfg must be checked. + Moreover, current GRUB2 config file in /etc/grub2/grub.cfg must be checked. 
# grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
This command should not return any output. If it does, update the configuration with 
# grub2-mkconfig -o /boot/grub2/grub.cfg
@@ -56,7 +56,7 @@ ocil: |- 
$ sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"

{{% else %}} - Inspect the form of default GRUB 2 command line for the Linux operating system + Inspect the form of default GRUB2 command line for the Linux operating system in /boot/grub2/grubenv. If they include ipv6.disable=1, then IPv6 is disabled at boot time. 
# grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv
From 3006d2025e472c2c457f5665ab0096f22e84766c Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 23 Mar 2020 14:13:15 +0100 Subject: [PATCH 4/5] change severity, reorder prodtypes, and add sudo instead of root --- .../grub2_disable_ipv6/rule.yml | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml index 06fd3b2a36..1c6d2388d1 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,ol7,rhel8,ol8,fedora,rhv4,ocp4 +prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 title: 'Ensure IPv6 is disabled through kernel boot parameter' @@ -14,7 +14,7 @@ description: |- In case the GRUB_DISABLE_RECOVERY is set to true, then the parameter should be added to the GRUB_CMDLINE_LINUX_DEFAULT instead. {{% else %}} /boot/grub2/grubenv, in the manner below: - 
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
+ 
sudo  grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
{{% endif %}} @@ -22,7 +22,7 @@ rationale: |- Any unnecessary network stacks, including IPv6, should be disabled to reduce the vulnerability to exploitation. -severity: medium +severity: low identifiers: cce@rhel7: 82886-3 @@ -40,31 +40,31 @@ ocil: |- in /etc/default/grub. If it includes ipv6.disable=1, then IPv6 is disabled at boot time. First check if the GRUB recovery is enabled: - 
$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+ 
grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command: - 
$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
+ 
grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
If the recovery is disabled, check the line with - 
$ grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub
. + 
grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub
. Moreover, current GRUB2 config file in /etc/grub2/grub.cfg must be checked. - 
# grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
+ 
sudo grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
This command should not return any output. If it does, update the configuration with - 
# grub2-mkconfig -o /boot/grub2/grub.cfg
+ 
sudo grub2-mkconfig -o /boot/grub2/grub.cfg


Alternatively, to ensure ipv6.disable=1 is configured on all installed kernels, the following command may be used:
- 
$ sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
+ 
sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"

{{% else %}} Inspect the form of default GRUB2 command line for the Linux operating system in /boot/grub2/grubenv. If they include ipv6.disable=1, then IPv6 is disabled at boot time. - 
# grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv
+ 
sudo grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv


To ensure ipv6.disable=1 is configured on all installed kernels, the following command may be used:
- 
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
+ 
sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"

{{% endif %}} @@ -77,13 +77,13 @@ warnings: file. To update the GRUB 2 configuration file manually, use the 
grub2-mkconfig -o
command as follows:
    -
  • On BIOS-based machines, issue the following command as root: - 
    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
    • -
  • On UEFI-based machines, issue the following command as root: +
  • On BIOS-based machines, issue the following command: + 
    sudo grub2-mkconfig -o /boot/grub2/grub.cfg
    • +
  • On UEFI-based machines, issue the following command: {{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}} - 
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
    • + 
    sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
    {{% else %}} - 
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    + 
    sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    {{% endif %}}
From 18529b39aa08084c6a73adec2771b48eac89ce7f Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 25 Mar 2020 09:54:05 +0100 Subject: [PATCH 5/5] make description and ocil clearer --- .../grub2_disable_ipv6/rule.yml | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml index 1c6d2388d1..e128654204 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml @@ -12,6 +12,10 @@ description: |- /etc/default/grub, so that the line looks similar to 
GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."
In case the GRUB_DISABLE_RECOVERY is set to true, then the parameter should be added to the GRUB_CMDLINE_LINUX_DEFAULT instead. + Run one of following command to ensure that the configuration is applied when booting currently installed kernels: + 
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
+ or + 
sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
{{% else %}} /boot/grub2/grubenv, in the manner below: 
sudo  grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
@@ -37,28 +41,23 @@ ocil_clause: 'IPv6 is not disabled' ocil: |- {{% if product in ["rhel7", "ol7", "rhv4"] %}} Inspect the form of default GRUB2 command line for the Linux operating system - in /etc/default/grub. If it includes ipv6.disable=1, then IPv6 - is disabled at boot time. + in /etc/default/grub. Check if it includes ipv6.disable=1. First check if the GRUB recovery is enabled: 
grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
- If this option is set to true, then check that a line is output by the following command: + If this option is set to true, then check that the following line is output by the following command: 
grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
If the recovery is disabled, check the line with 
grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub
. Moreover, current GRUB2 config file in /etc/grub2/grub.cfg must be checked. 
sudo grep vmlinuz /boot/grub2/grub.cfg | grep -v 'ipv6.disable=1'
- This command should not return any output. If it does, update the configuration with + This command should not return any output. If it does, update the configuration with one of following commands: 
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
-

- Alternatively, to ensure ipv6.disable=1 is configured on all installed kernels, the - following command may be used: -
+ or 
sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"

{{% else %}} Inspect the form of default GRUB2 command line for the Linux operating system - in /boot/grub2/grubenv. If they include ipv6.disable=1, then IPv6 - is disabled at boot time. + in /boot/grub2/grubenv. Check if it includes ipv6.disable=1. 
sudo grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv


To ensure ipv6.disable=1 is configured on all installed kernels, the