Merge pull request #9768 from anivan-suse/pci-dss-ipv6-rule

Add new loopback rule

controls/cis_sle_15.yml

@@ -1012,6 +1012,8 @@ controls:
       - l1_server
       - l1_workstation
     status: manual
+    rules:
+      - set_loopback_traffic
 
   - id: 3.5.2.7
     title: Ensure outbound and established connections are configured (Manual)
@@ -1082,6 +1084,8 @@ controls:
       - l1_server
       - l1_workstation
     status: manual
+    rules:
+      - set_ipv6_loopback_traffic
 
   - id: 3.5.3.2.3
     title: Ensure outbound and established connections are configured (Manual)
@@ -1564,7 +1568,7 @@ controls:
       - l1_server
       - l1_workstation
     status: automated
-    rule:
+    rules:
       - file_groupowner_at_allow
       - file_owner_at_allow
       - file_permissions_at_allow
@@ -1747,7 +1751,7 @@ controls:
       - l1_server
       - l1_workstation
     status: automated
-    rule:
+    rules:
       - sshd_enable_warning_banner
 
   - id: 5.2.19
@@ -2197,7 +2201,7 @@ controls:
       - l1_server
       - l1_workstation
     status: automated
-    rule:
+    rules:
       - group_unique_id
 
   - id: 6.2.16

linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh

@@ -0,0 +1,5 @@
+# platform = multi_platform_sle
+
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+iptables -A INPUT -s 127.0.0.0/8 -j DROP

linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml

@@ -0,0 +1,38 @@
+documentation_complete: true
+
+title: 'Set configuration for IPv6 loopback traffic'
+
+description: |-
+    Configure the loopback interface to accept traffic.
+    Configure all other interfaces to deny traffic to the loopback
+    network.
+
+rationale: |-
+    Loopback traffic is generated between processes on machine and is
+    typically critical to operation of the system. The loopback interface
+    is the only place that loopback network traffic should be seen,
+    all other interfaces should ignore traffic on this network as an
+    anti-spoofing measure.
+
+severity: medium
+
+identifiers:
+    cce@sle12: CCE-92215-3
+    cce@sle15: CCE-91346-7
+
+references:
+    cis@sle12: 3.5.3.1
+    cis@sle15: 3.5.3.2.2 
+    pcidss: Req-1.4.1
+
+warnings:
+    - general: |-
+        Changing firewall settings while connected over network can
+        result in being locked out of the system.
+
+ocil_clause: 'ipv6 loopback traffic is not configured'
+
+ocil: |-
+    Verify that the ipv6 loopback interface has required rules in order:
+    <pre>$ iptables -L INPUT -v -n</pre>
+

linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/bash/shared.sh

@@ -0,0 +1,22 @@
+# platform = multi_platform_sle
+
+# Implement the loopback rules:
+nft add rule inet filter input iif lo accept
+nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop
+
+# Check IPv6 is disabled, if false implement IPv6 loopback rules
+[ -n "$passing" ] && passing=""
+[ -z "$(grep "^\s*linux" /boot/grub2/grub.cfg | grep -v ipv6.disabled=1)" ] && passing="true"
+
+grep -Eq "^\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" \
+/etc/sysctl.conf /etc/sysctl.d/*.conf && \
+grep -Eq "^\s*net\.ipv6\.conf\.default\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" \
+/etc/sysctl.conf /etc/sysctl.d/*.conf && sysctl net.ipv6.conf.all.disable_ipv6 | \
+grep -Eq "^\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" && \
+sysctl net.ipv6.conf.default.disable_ipv6 | \
+grep -Eq "^\s*net\.ipv6\.conf\.default\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" && passing="true"
+
+# Is IPv6 Disabled? (true/fasle)
+if [ "$passing" = false ] ; then
+    nft add rule inet filter input ip6 saddr ::1 counter drop
+fi

linux_os/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml

@@ -0,0 +1,42 @@
+documentation_complete: true
+
+title: 'Set configuration for loopback traffic' 
+
+description: |-
+    Configure the loopback interface to accept traffic. 
+    Configure all other interfaces to deny traffic to the loopback 
+    network.
+
+rationale: |-
+    Loopback traffic is generated between processes on machine and is 
+    typically critical to operation of the system. The loopback interface 
+    is the only place that loopback network traffic should be seen, all 
+    other interfaces should ignore traffic on this network as an
+    anti-spoofing measure.
+   
+severity: medium
+
+identifiers:
+    cce@sle12: CCE-92214-6
+    cce@sle15: CCE-91345-9
+
+references:
+    cis@sle15: 3.5.2.6
+    pcidss: Req-1.4.1
+
+warnings:
+    - general: |-
+        Changing firewall settings while connected over network can 
+        result in being locked out of the system.
+
+ocil_clause: 'loopback traffic is not configured'
+
+ocil: |-
+    Verify that the loopback interface is configured:
+    <pre>
+    # nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr'
+    </pre>
+    If IPv6 is enabled, verify that the IPv6 loopback interface is configured:
+    <pre>
+    # nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr'
+    </pre>

products/sle15/profiles/pci-dss-4.profile

@@ -94,6 +94,8 @@ selections:
     -  service_cups_disabled
     -  service_rpcbind_disabled
     -  service_rsyncd_disabled
+    -  set_ipv6_loopback_traffic
+    -  set_loopback_traffic
     -  sshd_disable_empty_passwords
     -  sshd_disable_rhosts
     -  sshd_disable_root_login

shared/references/cce-sle12-avail.txt

@@ -1,6 +1,4 @@
 CCE-91635-3
-CCE-92214-6
-CCE-92215-3
 CCE-92216-1
 CCE-92220-3
 CCE-92223-7

shared/references/cce-sle15-avail.txt

@@ -1,6 +1,4 @@
 CCE-91342-6
-CCE-91345-9
-CCE-91346-7
 CCE-91347-5
 CCE-91348-3
 CCE-91349-1