Merge pull request #9277 from yuumasato/new_sysctl_ipv4_forwarding_rule

New sysctl ipv4 forwarding rule
ComplianceAsCode · Aug 3, 2022 · 263b5ce · 263b5ce
2 parents e9a8c05 + 0e2be2d
commit 263b5ce
Show file tree

Hide file tree

Showing 7 changed files with 65 additions and 6 deletions.
diff --git a/...rk-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/...rk-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
@@ -0,0 +1,44 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces'
+
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}'
+
+rationale: |-
+    IP forwarding permits the kernel to forward packets from one network
+    interface to another. The ability to forward packets between two networks is
+    only appropriate for systems acting as routers.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86220-1
+
+references:
+    disa: CCI-000366
+    nist: CM-6(b)
+    srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel8: RHEL-08-040259
+
+ocil_clause: 'IP forwarding value is "1" and the system is not router'
+
+ocil: |-
+    {{{ ocil_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}
+    The ability to forward packets is only appropriate for routers.
+
+fixtext: |-
+    Configure {{{ full_name }}} to not allow packet forwarding unless the system is a router with the following commands:
+    {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.forwarding", value="0") | indent(4) }}}
+
+srg_requirement: '{{{ full_name }}} must not perform packet forwarding unless the system is a router.'
+
+platform: machine
+
+template:
+    name: sysctl
+    vars:
+        sysctlvar: net.ipv4.conf.all.forwarding
+        datatype: int
+
diff --git a/...k-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var b/...k-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: net.ipv4.conf.all.forwarding
+
+description: 'Toggle IPv4 Forwarding'
+
+type: number
+
+operator: equals
+
+interactive: false
+
+options:
+    default: "0"
+    disabled: "0"
+    enabled: 1
+
diff --git a/...system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/...system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
@@ -45,7 +45,6 @@ references:
     stigid@ol7: OL07-00-040740
     stigid@ol8: OL08-00-040260
     stigid@rhel7: RHEL-07-040740
-    stigid@rhel8: RHEL-08-040259
     stigid@sle12: SLES-12-030430
     stigid@sle15: SLES-15-040380
 

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
@@ -1127,7 +1127,7 @@ selections:
     - sysctl_net_ipv6_conf_default_accept_source_route
 
     # RHEL-08-040259
-    - sysctl_net_ipv4_ip_forward
+    - sysctl_net_ipv4_conf_all_forwarding
 
     # RHEL-08-040260
     - sysctl_net_ipv6_conf_all_forwarding

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -168,7 +168,6 @@ CCE-86216-9
 CCE-86217-7
 CCE-86218-5
 CCE-86219-3
-CCE-86220-1
 CCE-86221-9
 CCE-86222-7
 CCE-86223-5

diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
@@ -1,7 +1,7 @@
 title: DISA STIG for Red Hat Enterprise Linux 8
 description: 'This profile contains configuration checks that align to the
 
-    DISA STIG for Red Hat Enterprise Linux 8 V1R7
+    DISA STIG for Red Hat Enterprise Linux 8 V1R7.
 
 
     In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
@@ -395,13 +395,13 @@ selections:
 - sysctl_net_core_bpf_jit_harden
 - sysctl_net_ipv4_conf_all_accept_redirects
 - sysctl_net_ipv4_conf_all_accept_source_route
+- sysctl_net_ipv4_conf_all_forwarding
 - sysctl_net_ipv4_conf_all_rp_filter
 - sysctl_net_ipv4_conf_all_send_redirects
 - sysctl_net_ipv4_conf_default_accept_redirects
 - sysctl_net_ipv4_conf_default_accept_source_route
 - sysctl_net_ipv4_conf_default_send_redirects
 - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-- sysctl_net_ipv4_ip_forward
 - sysctl_net_ipv6_conf_all_accept_ra
 - sysctl_net_ipv6_conf_all_accept_redirects
 - sysctl_net_ipv6_conf_all_accept_source_route

diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -405,13 +405,13 @@ selections:
 - sysctl_net_core_bpf_jit_harden
 - sysctl_net_ipv4_conf_all_accept_redirects
 - sysctl_net_ipv4_conf_all_accept_source_route
+- sysctl_net_ipv4_conf_all_forwarding
 - sysctl_net_ipv4_conf_all_rp_filter
 - sysctl_net_ipv4_conf_all_send_redirects
 - sysctl_net_ipv4_conf_default_accept_redirects
 - sysctl_net_ipv4_conf_default_accept_source_route
 - sysctl_net_ipv4_conf_default_send_redirects
 - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-- sysctl_net_ipv4_ip_forward
 - sysctl_net_ipv6_conf_all_accept_ra
 - sysctl_net_ipv6_conf_all_accept_redirects
 - sysctl_net_ipv6_conf_all_accept_source_route