-
Notifications
You must be signed in to change notification settings - Fork 686
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #9768 from anivan-suse/pci-dss-ipv6-rule
Add new loopback rule
- Loading branch information
Showing
8 changed files
with
116 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5 changes: 5 additions & 0 deletions
5
...tem/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# platform = multi_platform_sle | ||
|
||
iptables -A INPUT -i lo -j ACCEPT | ||
iptables -A OUTPUT -o lo -j ACCEPT | ||
iptables -A INPUT -s 127.0.0.0/8 -j DROP |
38 changes: 38 additions & 0 deletions
38
...de/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
documentation_complete: true | ||
|
||
title: 'Set configuration for IPv6 loopback traffic' | ||
|
||
description: |- | ||
Configure the loopback interface to accept traffic. | ||
Configure all other interfaces to deny traffic to the loopback | ||
network. | ||
rationale: |- | ||
Loopback traffic is generated between processes on machine and is | ||
typically critical to operation of the system. The loopback interface | ||
is the only place that loopback network traffic should be seen, | ||
all other interfaces should ignore traffic on this network as an | ||
anti-spoofing measure. | ||
severity: medium | ||
|
||
identifiers: | ||
cce@sle12: CCE-92215-3 | ||
cce@sle15: CCE-91346-7 | ||
|
||
references: | ||
cis@sle12: 3.5.3.1 | ||
cis@sle15: 3.5.3.2.2 | ||
pcidss: Req-1.4.1 | ||
|
||
warnings: | ||
- general: |- | ||
Changing firewall settings while connected over network can | ||
result in being locked out of the system. | ||
ocil_clause: 'ipv6 loopback traffic is not configured' | ||
|
||
ocil: |- | ||
Verify that the ipv6 loopback interface has required rules in order: | ||
<pre>$ iptables -L INPUT -v -n</pre> | ||
22 changes: 22 additions & 0 deletions
22
...e/system/network/network-iptables/iptables_activation/set_loopback_traffic/bash/shared.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# platform = multi_platform_sle | ||
|
||
# Implement the loopback rules: | ||
nft add rule inet filter input iif lo accept | ||
nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop | ||
|
||
# Check IPv6 is disabled, if false implement IPv6 loopback rules | ||
[ -n "$passing" ] && passing="" | ||
[ -z "$(grep "^\s*linux" /boot/grub2/grub.cfg | grep -v ipv6.disabled=1)" ] && passing="true" | ||
|
||
grep -Eq "^\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" \ | ||
/etc/sysctl.conf /etc/sysctl.d/*.conf && \ | ||
grep -Eq "^\s*net\.ipv6\.conf\.default\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" \ | ||
/etc/sysctl.conf /etc/sysctl.d/*.conf && sysctl net.ipv6.conf.all.disable_ipv6 | \ | ||
grep -Eq "^\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" && \ | ||
sysctl net.ipv6.conf.default.disable_ipv6 | \ | ||
grep -Eq "^\s*net\.ipv6\.conf\.default\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" && passing="true" | ||
|
||
# Is IPv6 Disabled? (true/fasle) | ||
if [ "$passing" = false ] ; then | ||
nft add rule inet filter input ip6 saddr ::1 counter drop | ||
fi |
42 changes: 42 additions & 0 deletions
42
...s/guide/system/network/network-iptables/iptables_activation/set_loopback_traffic/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
documentation_complete: true | ||
|
||
title: 'Set configuration for loopback traffic' | ||
|
||
description: |- | ||
Configure the loopback interface to accept traffic. | ||
Configure all other interfaces to deny traffic to the loopback | ||
network. | ||
rationale: |- | ||
Loopback traffic is generated between processes on machine and is | ||
typically critical to operation of the system. The loopback interface | ||
is the only place that loopback network traffic should be seen, all | ||
other interfaces should ignore traffic on this network as an | ||
anti-spoofing measure. | ||
severity: medium | ||
|
||
identifiers: | ||
cce@sle12: CCE-92214-6 | ||
cce@sle15: CCE-91345-9 | ||
|
||
references: | ||
cis@sle15: 3.5.2.6 | ||
pcidss: Req-1.4.1 | ||
|
||
warnings: | ||
- general: |- | ||
Changing firewall settings while connected over network can | ||
result in being locked out of the system. | ||
ocil_clause: 'loopback traffic is not configured' | ||
|
||
ocil: |- | ||
Verify that the loopback interface is configured: | ||
<pre> | ||
# nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' | ||
</pre> | ||
If IPv6 is enabled, verify that the IPv6 loopback interface is configured: | ||
<pre> | ||
# nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' | ||
</pre> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,4 @@ | ||
CCE-91635-3 | ||
CCE-92214-6 | ||
CCE-92215-3 | ||
CCE-92216-1 | ||
CCE-92220-3 | ||
CCE-92223-7 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,4 @@ | ||
CCE-91342-6 | ||
CCE-91345-9 | ||
CCE-91346-7 | ||
CCE-91347-5 | ||
CCE-91348-3 | ||
CCE-91349-1 | ||
|