Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPv6 disabling doesn't respect declared mechanism #190

Closed
joshavant opened this issue Jan 20, 2024 · 0 comments
Closed

IPv6 disabling doesn't respect declared mechanism #190

joshavant opened this issue Jan 20, 2024 · 0 comments
Assignees
@uk-bolly
Labels
bug Something isn't working

Comments

@joshavant
Copy link
Contributor

joshavant commented Jan 20, 2024
edited
Loading

Describe the Issue
UBUNTU22-CIS is configured with the following:
ubtu22cis_ipv6_disable: grub
ubtu22cis_ipv6_required: false

Expected Behavior
After remediation, reloading sysctl.conf variables with sysctl -p returns exit code 0

Actual Behavior
After remediation, reloading sysctl.conf variables with sysctl -p returns exit code 255

Control(s) Affected
3.2.2, 3.3.1, 3.3.2

Environment (please complete the following information):

  • branch being used: devel
  • Ansible Version: 2.16.0
  • Host Python Version: N/A
  • Ansible Server Python Version: 2.7.16
  • Additional Details: Ubuntu 22.04.3 is Server OS

Additional Notes
Currently, remediation (without any direct rule overrides) will add lines to /etc/sysctl.conf relevant to IPv6 disabling, such as the following:
net.ipv6.conf.all.forwarding=0

If ubtu22cis_ipv6_disable is configured to grub, the IPv6 networking stack is not loaded by the kernel, and so files such as /proc/sys/net/ipv6/conf/all/forwarding are not created.

However, it appears sysctl's actual behavior is that, despite a line such as net.ipv6.conf.all.forwarding=0 existing in /etc/sysctl.conf to disable IPv6 behaviors, sysctl will still attempt to look for /proc/sys/net/ipv6/conf/all/forwarding and return a non-zero exit code if that file is not found.

Here is a sample output of current behavior, immediately after applying remediation:

ubuntu@ubuntu:~$ sudo sysctl -p
[sudo] password for ubuntu: 
fs.suid_dumpable = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.ip_forward = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/forwarding: No such file or directory
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_source_route: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_source_route: No such file or directory
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_redirects: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_redirects: No such file or directory
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.route.flush = 1
ubuntu@ubuntu:~$ echo $?
255

This non-zero exit code can cause other attempts to reload sysctl to appear to fail, when interpreting the returned exit code.

Possible Solution
#191
@joshavant joshavant added the bug Something isn't working label Jan 20, 2024
@joshavant joshavant mentioned this issue Jan 20, 2024
Merged
@uk-bolly uk-bolly self-assigned this Jan 24, 2024
@uk-bolly uk-bolly closed this as completed Feb 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@uk-bolly uk-bolly

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joshavant @uk-bolly