Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New applicability platform to check IPv6 state #10830

Merged
merged 3 commits into from
Jul 12, 2023
Merged

New applicability platform to check IPv6 state #10830

merged 3 commits into from
Jul 12, 2023

Conversation

marcusburghardt
Copy link
Member

Description:

Create a new applicability platform to check IPv6 state and include a platform: ipv6[enabled] in for the group of rules that configure IPv6.

Rationale:

Review Hints:

  1. ./build_product rhel9
  2. Test some IPv6 related rules. e.g.:
    ./tests/automatus.py rule --libvirt qemu:///session rhel9 --datastream build/ssg-rhel9-ds.xml --dontclean --remediate-using bash sysctl_net_ipv6_conf_all_accept_ra
  3. The rule should be checked normally if the IPv6 is enabled in the system (default)
  4. Disable the IPv6 with this command: grubby --update-kernel=ALL --args=ipv6.disable=1
  5. Test the rule again and now it should report notapplicable

Here are examples of other rules which could be tested:

  • sysctl_net_ipv6_conf_all_accept_redirects
  • sysctl_net_ipv6_conf_all_accept_source_route
  • sysctl_net_ipv6_conf_default_accept_redirects

@marcusburghardt
Include applicability definition for ipv6
c4931ce 
The intention is to use this applicability in IPv6 related rules so they
report "notapplicable" when IPv6 is disabled in the system.
@marcusburghardt
Include an OVAL template for ipv6 applicability
0cfd56f 
This template will be used by the ipv6 applicability to check if IPv6 is
disabled or enabled in the system. It will rely on "ipv6.disable" boot
parameter defined in /etc/default/grup as this is the most reliable
way to disable IPv6 on a system. It is not considering runtime
configuration but this could be extended in the future, if deemed
necessary.
@marcusburghardt
Define ipv6 platform in group of ipv6 settings rules
f0c50ae
@marcusburghardt marcusburghardt added bugfix Fixes to reported bugs. Update Rule Issues or pull requests related to Rules updates. CPE-AL CPE Applicability Language labels Jul 12, 2023
@marcusburghardt marcusburghardt added this to the 0.1.69 milestone Jul 12, 2023
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@Mab879 Mab879 self-assigned this Jul 12, 2023
@codeclimate
Copy link

codeclimate bot commented Jul 12, 2023

Code Climate has analyzed commit f0c50ae and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.4% (0.0% change).

View more on Code Climate.

@Mab879 Mab879 merged commit 252c4b3 into ComplianceAsCode:master Jul 12, 2023
33 of 34 checks passed
@marcusburghardt marcusburghardt deleted the cpe_ipv6_disabled branch July 13, 2023 06:22
@marcusburghardt marcusburghardt mentioned this pull request Sep 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mab879 Mab879 Mab879 approved these changes

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek

Assignees

@Mab879 Mab879

Labels
bugfix Fixes to reported bugs. CPE-AL CPE Applicability Language Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.69
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@marcusburghardt @Mab879