Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil>
---
RHEL6/input/system/network/ipv6.xml | 122 ++++++++++++++++++++++++-----------
1 files changed, 83 insertions(+), 39 deletions(-)
diff --git a/RHEL6/input/system/network/ipv6.xml b/RHEL6/input/system/network/ipv6.xml
index b7e8ad0..2b0b165 100644
--- a/RHEL6/input/system/network/ipv6.xml
+++ b/RHEL6/input/system/network/ipv6.xml
@@ -13,29 +13,35 @@ Despite configuration that suggests support for IPv6 has
been disabled, link-local IPv6 address autoconfiguration occurs
even when only an IPv4 address is assigned. The only way to
effectively prevent execution of the IPv6 networking stack is to
-instruct the IPv6 kernel module not to load it.</description>
+instruct the system not to activate the IPv6 kernel module.
+</description>
<Rule id="disable_ipv6_module_loading">
<title>Disable IPv6 Networking Support Automatic Loading</title>
-<description>To prevent the IPv6 kernel module (<tt>ipv6</tt>) from
loading the IPv6 networking stack, add the following line to
<tt>/etc/modprobe.d/disabled.conf</tt> (or another file in
<tt>/etc/modprobe.d</tt>):
+<description>To prevent the IPv6 kernel module (<tt>ipv6</tt>) from
loading the
+IPv6 networking stack, add the following line to
+<tt>/etc/modprobe.d/disabled.conf</tt> (or another file in
+<tt>/etc/modprobe.d</tt>):
<pre>options ipv6 disable=1</pre>
-This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on
it),
-while disabling support for the IPv6 protocol.
+This permits the IPv6 module to be loaded (and thus satisfy other modules that
+depend on it), while disabling support for the IPv6 protocol.
</description>
<ocil clause="the ipv6 kernel module is loaded">
If the system is configured to prevent the loading of the
<tt>ipv6</tt> kernel module, it will contain a line
of the form:
<pre>options ipv6 disable=1</pre>
-inside any file in <tt>/etc/modprobe.d</tt> or the
deprecated<tt>/etc/modprobe.conf</tt>.
-This permits insertion of the IPv6 kernel module (which other parts of the system
-expect to be present), but otherwise keeps it inactive.
-Run the following command to search for such lines in all files in
<tt>/etc/modprobe.d</tt>
-and the deprecated <tt>/etc/modprobe.conf</tt>:
+inside any file in <tt>/etc/modprobe.d</tt> or the
+deprecated<tt>/etc/modprobe.conf</tt>. This permits insertion of the IPv6
+kernel module (which other parts of the system expect to be present), but
+otherwise keeps it inactive. Run the following command to search for such
+lines in all files in <tt>/etc/modprobe.d</tt> and the deprecated
+<tt>/etc/modprobe.conf</tt>:
<pre xml:space="preserve">$ grep -r ipv6 /etc/modprobe.conf
/etc/modprobe.d</pre>
</ocil>
<rationale>
-Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the
vulnerability to exploitation.
+Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
+the vulnerability to exploitation.
</rationale>
<ident cce="CCE-3562-6" />
<oval id="kernel_module_ipv6_option_disabled" />
@@ -44,10 +50,13 @@ Any unnecessary network stacks - including IPv6 - should be disabled,
to reduce
<Rule id="network_ipv6_disable_interfaces">
<title>Disable Interface Usage of IPv6</title>
-<description>To prevent configuration of IPv6 for all interfaces, add or correct
the following lines in <tt>/etc/sysconfig/network</tt>:
+<description>To prevent configuration of IPv6 for all interfaces, add or
+correct the following lines in <tt>/etc/sysconfig/network</tt>:
<pre>NETWORKING_IPV6=no
IPV6INIT=no</pre>
-For each network interface <i>IFACE</i> , add or correct the following lines
in <tt>/etc/sysconfig/network-scripts/</tt> ifcfg-<i>IFACE</i> as
an additional prevention mechanism:
+For each network interface <i>IFACE</i> , add or correct the following lines
in
+<tt>/etc/sysconfig/network-scripts/</tt> ifcfg-<i>IFACE</i> as an
additional
+prevention mechanism:
<pre>IPV6INIT=no</pre>
</description>
<ref nist="CM-6, CM-7" />
@@ -55,11 +64,14 @@ For each network interface <i>IFACE</i> , add or correct
the following lines in
<Rule id="network_ipv6_disable_rpc">
<title>Disable Support for RPC IPv6</title>
-<description>RPC services for NFSv4 try to load transport modules for
<tt>udp6</tt> and <tt>tcp6</tt> by default, even if IPv6 has been
disabled in <tt>/etc/modprobe.d</tt>. To prevent RPC services such as
<tt>rpc.mountd</tt> from attempting to start IPv6 network listeners, remove or
comment out the following two lines in <tt>/etc/netconfig</tt>:
+<description>RPC services for NFSv4 try to load transport modules for
+<tt>udp6</tt> and <tt>tcp6</tt> by default, even if IPv6 has been
disabled in
+<tt>/etc/modprobe.d</tt>. To prevent RPC services such as
<tt>rpc.mountd</tt>
+from attempting to start IPv6 network listeners, remove or comment out the
+following two lines in <tt>/etc/netconfig</tt>:
<pre>udp6 tpi_clts v inet6 udp - -
tcp6 tpi_cots_ord v inet6 tcp - -</pre>
</description>
-<!--<ident cce="CCE-3842-2" />-->
<oval id="network_ipv6_disable_rpc" />
<ref nist="CM-6, CM-7" />
</Rule>
@@ -71,7 +83,7 @@ tcp6 tpi_cots_ord v inet6 tcp - -</pre>
implementing it can automatically configure their networking
devices using information from the network. From a security
perspective, manually configuring important configuration
-information is always preferable to accepting it from the network
+information is preferable to accepting it from the network
in an unauthenticated fashion.</description>
<Group id="disabling_ipv6_autoconfig">
@@ -113,22 +125,27 @@ operator="equals" interactive="0">
<Rule id="set_sysctl_net_ipv6_conf_default_accept_ra">
<title>Disable Accepting IPv6 Router Advertisements</title>
-<description>The default setting for accepting IPv6 router
-advertisements should be: <tt><sub
idref="sysctl_net_ipv6_conf_default_accept_ra_value" /></tt> for all
interfaces. To do so add the following lines to <tt>/etc/sysctl.conf</tt> to
limit the configuration information requested from other systems, and accepted from the
network:
-<pre>net.ipv6.conf.default.accept_ra = <sub
idref="sysctl_net_ipv6_conf_default_accept_ra_value"
/></pre></description>
+<description>
+<sysctl-desc-macro sysctl="net.ipv6.conf.default.accept_ra"
value="0" />
+</description>
+<ocil>
+<sysctl-check-macro sysctl="net.ipv6.conf.default.accept_ra"
value="0" />
+</ocil>
+<rationale>
+An illicit router advertisement message could result in a man-in-the-middle attack.
+</rationale>
<ident cce="CCE-4269-7" />
-<oval id="sysctl_net_ipv6_conf_default_accept_ra" />
<!--value="sysctl_net_ipv6_conf_default_accept_ra_value" /> -->
+<oval id="sysctl_net_ipv6_conf_default_accept_ra" />
<ref nist="CM-7" />
</Rule>
<Rule id="set_sysctl_ipv6_default_accept_redirects">
<title>Disable Accepting IPv6 Redirects</title>
-<description>The setting for accepting IPv6 redirects should be: <tt><sub
idref="sysctl_net_ipv6_conf_default_accept_redirects_value" /></tt> for
all interfaces. To do so add the following lines to <tt>/etc/sysctl.conf</tt>
to limit the configuration information requested from other systems, and accepted from the
network:
-<pre>net.ipv6.conf.default.accept_redirects = <sub
idref="sysctl_net_ipv6_conf_default_accept_redirects_value" /></pre>
+<description>
+<sysctl-desc-macro sysctl="net.ipv6.conf.default.accept_redirects"
value="0" />
</description>
-<ocil clause="there is not output">
-To ensure IPv6 redirects are disabled, run the following command:
-<pre># grep ipv6 /etc/sysctl.conf</pre>
+<ocil>
+<sysctl-check-macro sysctl="net.ipv6.conf.default.accept_redirects"
value="0" />
</ocil>
<rationale>
An illicit ICMP redirect message could result in a man-in-the-middle attack.
@@ -142,19 +159,30 @@ An illicit ICMP redirect message could result in a man-in-the-middle
attack.
<Rule id="network_ipv6_static_address">
<title>Manually Assign Global IPv6 Address</title>
-<description>To manually assign an IP address for an interface IFACE , edit the
file <tt>/etc/sysconfig/network-scripts/ifcfg-IFACE</tt>. Add or correct the
following line (substituting the correct IPv6 address):
+<description>To manually assign an IP address for an interface IFACE , edit the
+file <tt>/etc/sysconfig/network-scripts/ifcfg-IFACE</tt>. Add or correct the
+following line (substituting the correct IPv6 address):
<pre>IPV6ADDR=2001:0DB8::ABCD/64</pre>
-Manually assigning an IP address is preferable to accepting one from routers or from the
network otherwise. The example address here is an IPv6 address reserved for documentation
purposes, as defined by RFC3849.</description>
-<!--<ident cce="CCE-3842-2" />-->
+Manually assigning an IP address is preferable to accepting one from routers or
+from the network otherwise. The example address here is an IPv6 address
+reserved for documentation purposes, as defined by RFC3849.
+</description>
<oval id="network_ipv6_static_address" />
<ref nist="CM-6, CM-7" />
</Rule>
<Rule id="network_ipv6_privacy_extensions">
<title>Use Privacy Extensions for Address</title>
-<description>To introduce randomness into the automatic generation of IPv6
addresses, add or correct the following line in
<tt>/etc/sysconfig/network-scripts/ifcfg-IFACE</tt>:
+<description>To introduce randomness into the automatic generation of IPv6
+addresses, add or correct the following line in
+<tt>/etc/sysconfig/network-scripts/ifcfg-IFACE</tt>:
<pre>IPV6_PRIVACY=rfc3041</pre>
-Automatically-generated IPv6 addresses are based on the underlying hardware (e.g.
Ethernet) address, and so it becomes possible to track a piece of hardware over its
lifetime using its traffic. If it is important for a system's IP address to not
trivially reveal its hardware address, this setting should be
applied.</description>
+Automatically-generated IPv6 addresses are based on the underlying hardware
+(e.g. Ethernet) address, and so it becomes possible to track a piece of
+hardware over its lifetime using its traffic. If it is important for a system's
+IP address to not trivially reveal its hardware address, this setting should be
+applied.
+</description>
<ident cce="CCE-3842-2" />
<oval id="network_ipv6_privacy_extensions" />
<ref nist="CM-6, CM-7" />
@@ -162,17 +190,22 @@ Automatically-generated IPv6 addresses are based on the underlying
hardware (e.g
<Rule id="network_ipv6_default_gateway">
<title>Manually Assign IPv6 Router Address</title>
-<description>Edit the file
<tt>/etc/sysconfig/network-scripts/ifcfg-<i>IFACE</i></tt>, and
add or correct the following line (substituting your gateway IP as appropriate):
+<description>Edit the file
+<tt>/etc/sysconfig/network-scripts/ifcfg-<i>IFACE</i></tt>, and
add or correct
+the following line (substituting your gateway IP as appropriate):
<pre>IPV6_DEFAULTGW=2001:0DB8::0001</pre>
-Router addresses should be manually set and not accepted via any autoconfiguration or
router advertisement.</description>
-<!--<ident cce="CCE-3842-2" />-->
+Router addresses should be manually set and not accepted via any
+autoconfiguration or router advertisement.
+</description>
<oval id="network_ipv6_default_gateway" />
<ref nist="CM-6, CM-7" />
</Rule>
<Rule id="network_ipv6_limit_requests">
<title>Limit Network-Transmitted Configuration</title>
-<description>Add the following lines to <tt>/etc/sysctl.conf</tt> to
limit the configuration information requested from other systems, and accepted from the
network:
+<description>Add the following lines to <tt>/etc/sysctl.conf</tt> to
limit the
+configuration information requested from other systems, and accepted from the
+network:
<pre>net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
@@ -180,17 +213,28 @@ net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1</pre>
-The <tt>router_solicitations</tt> setting determines how many router
solicitations are sent when bringing up the interface. If addresses are statically
assigned, there is no need to send any solicitations.
+The <tt>router_solicitations</tt> setting determines how many router
+solicitations are sent when bringing up the interface. If addresses are
+statically assigned, there is no need to send any solicitations.
<br />
-The <tt>accept_ra_pinfo</tt> setting controls whether the system will accept
prefix info from the router.
+The <tt>accept_ra_pinfo</tt> setting controls whether the system will accept
+prefix info from the router.
<br />
-The <tt>accept_ra_defrtr</tt> setting controls whether the system will accept
Hop Limit settings from a router advertisement. Setting it to 0 prevents a router from
changing your default IPv6 Hop Limit for outgoing packets.
+The <tt>accept_ra_defrtr</tt> setting controls whether the system will
accept
+Hop Limit settings from a router advertisement. Setting it to 0 prevents a
+router from changing your default IPv6 Hop Limit for outgoing packets.
<br />
-The <tt>autoconf</tt> setting controls whether router advertisements can
cause the system to assign a global unicast address to an interface.
+The <tt>autoconf</tt> setting controls whether router advertisements can
cause
+the system to assign a global unicast address to an interface.
<br />
-The <tt>dad_transmits</tt> setting determines how many neighbor solicitations
to send out per address (global and link-local) when bringing up an interface to ensure
the desired address is unique on the network.
+The <tt>dad_transmits</tt> setting determines how many neighbor
solicitations
+to send out per address (global and link-local) when bringing up an interface
+to ensure the desired address is unique on the network.
<br />
-The <tt>max_addresses</tt> setting determines how many global unicast IPv6
addresses can be assigned to each interface. The default is 16, but it should be set to
exactly the number of statically configured global addresses required.
+The <tt>max_addresses</tt> setting determines how many global unicast IPv6
+addresses can be assigned to each interface. The default is 16, but it should
+be set to exactly the number of statically configured global addresses
+required.
</description>
<ident cce="CCE-4221-8" />
<ident cce="CCE-4137-6" />
--
1.7.1