From 6f50790f58c22bf00b98792ac800e8ddcae3ef47 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Mon, 2 Dec 2024 13:02:43 +0100 Subject: [PATCH 1/3] Add tests to rule set_ipv6_loopback_traffic --- .../set_ipv6_loopback_traffic/tests/correct.pass.sh | 8 ++++++++ .../set_ipv6_loopback_traffic/tests/ipv6_disabled.pass.sh | 7 +++++++ .../set_ipv6_loopback_traffic/tests/wrong.fail.sh | 7 +++++++ 3 files changed, 22 insertions(+) create mode 100644 linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/tests/correct.pass.sh create mode 100644 linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/tests/ipv6_disabled.pass.sh create mode 100644 linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/tests/wrong.fail.sh diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/tests/correct.pass.sh b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/tests/correct.pass.sh new file mode 100644 index 00000000000..8f0b669ca5c --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/tests/correct.pass.sh @@ -0,0 +1,8 @@ +# platform = multi_platform_ubuntu +# packages = iptables,iptables-persistent + +apt purge -y nftables ufw + +ip6tables -A INPUT -i lo -j ACCEPT +ip6tables -A OUTPUT -o lo -j ACCEPT +ip6tables -A INPUT -s ::1 -j DROP diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/tests/ipv6_disabled.pass.sh b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/tests/ipv6_disabled.pass.sh new file mode 100644 index 00000000000..95465ab5ca3 --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/tests/ipv6_disabled.pass.sh @@ -0,0 +1,7 @@ +# platform = multi_platform_ubuntu +# packages = iptables,iptables-persistent + +apt purge -y nftables ufw + +ip6tables -F +sysctl net.ipv6.conf.all.disable_ipv6=1 diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/tests/wrong.fail.sh b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/tests/wrong.fail.sh new file mode 100644 index 00000000000..19e22d716e9 --- /dev/null +++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/tests/wrong.fail.sh @@ -0,0 +1,7 @@ +# platform = multi_platform_ubuntu +# remediation = none +# packages = iptables,iptables-persistent + +apt purge -y nftables ufw + +ip6tables -F From 0300256fcf71b371c65b9672f8220df0a910ac2c Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Mon, 2 Dec 2024 13:04:58 +0100 Subject: [PATCH 2/3] Update ubuntu2404 CIS control 4.4.3.2 --- controls/cis_ubuntu2404.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 60eb3cd6642..18099629355 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -1510,10 +1510,9 @@ controls: levels: - l1_server - l1_workstation - related_rules: + rules: - set_ipv6_loopback_traffic - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/3.5.3.3.2. + status: automated - id: 4.4.3.3 title: Ensure ip6tables outbound and established connections are configured (Manual) From a8ce7215aa37e6d1c65c9ef3808dc9e53eee1f12 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Mon, 2 Dec 2024 13:40:29 +0100 Subject: [PATCH 3/3] Fix set_ipv6_loopback_traffic SCE for ubuntu2404 ip6tables output changed from ubuntu2204 to ubuntu2404. E.g. from `ip6tables -n -v -L INPUT` - 22.04: `0 0 ACCEPT all lo * ::/0 ::/0` - 24.04: `0 0 ACCEPT 0 -- lo * ::/0 ::/0`kj --- .../set_ipv6_loopback_traffic/sce/ubuntu.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/sce/ubuntu.sh b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/sce/ubuntu.sh index 674c412d5ac..4e57b6d20b0 100644 --- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/sce/ubuntu.sh +++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/sce/ubuntu.sh @@ -7,15 +7,21 @@ if [ ! -e /proc/sys/net/ipv6/conf/all/disable_ipv6 ] || [ "$(cat /proc/sys/net/i exit "$XCCDF_RESULT_PASS" fi -regex="\s+[0-9]+\s+[0-9]+\s+ACCEPT\s+all\s+lo\s+\*\s+::\/0\s+::\/0[[:space:]]+[0-9]+\s+[0-9]+\s+DROP\s+all\s+\*\s+\*\s+::1\s+::\/0" +{{% if product in ['ubuntu2404'] %}} +regex_input="\s+[0-9]+\s+[0-9]+\s+ACCEPT\s+[0-9]+\s+--\s+lo\s+\*\s+::\/0\s+::\/0[[:space:]]+[0-9]+\s+[0-9]+\s+DROP\s+[0-9]+\s+--\s+\*\s+\*\s+::1\s+::\/0" +regex_output="\s[0-9]+\s+[0-9]+\s+ACCEPT\s+[0-9]+\s+--\s+\*\s+lo\s+::\/0\s+::\/0" +{{% else %}} +regex_input="\s+[0-9]+\s+[0-9]+\s+ACCEPT\s+all\s+lo\s+\*\s+::\/0\s+::\/0[[:space:]]+[0-9]+\s+[0-9]+\s+DROP\s+all\s+\*\s+\*\s+::1\s+::\/0" +regex_output="\s[0-9]+\s+[0-9]+\s+ACCEPT\s+all\s+\*\s+lo\s+::\/0\s+::\/0" +{{% endif %}} # Check chain INPUT for loopback related rules -if ! ip6tables -L INPUT -v -n -x | grep -Ezq "$regex" ; then +if ! ip6tables -L INPUT -v -n -x | grep -Ezq "$regex_input" ; then exit "$XCCDF_RESULT_FAIL" fi # Check chain OUTPUT for loopback related rules -if ! ip6tables -L OUTPUT -v -n -x | grep -Eq "\s[0-9]+\s+[0-9]+\s+ACCEPT\s+all\s+\*\s+lo\s+::\/0\s+::\/0" ; then +if ! ip6tables -L OUTPUT -v -n -x | grep -Eq "$regex_output"; then exit "$XCCDF_RESULT_FAIL" fi