Describe the IssueUBUNTU22-CIS is configured with the following:
ubtu22cis_ipv6_disable: grububtu22cis_ipv6_required: false
Expected Behavior
After remediation, reloading sysctl.conf variables with sysctl -p returns exit code 0
Actual Behavior
After remediation, reloading sysctl.conf variables with sysctl -p returns exit code 255
Control(s) Affected
3.2.2, 3.3.1, 3.3.2
Environment (please complete the following information):
branch being used: devel
Ansible Version: 2.16.0
Host Python Version: N/A
Ansible Server Python Version: 2.7.16
Additional Details: Ubuntu 22.04.3 is Server OS
Additional Notes
Currently, remediation (without any direct rule overrides) will add lines to /etc/sysctl.conf relevant to IPv6 disabling, such as the following:
net.ipv6.conf.all.forwarding=0
If ubtu22cis_ipv6_disable is configured to grub, the IPv6 networking stack is not loaded by the kernel, and so files such as /proc/sys/net/ipv6/conf/all/forwarding are not created.
However, it appears sysctl's actual behavior is that, despite a line such as net.ipv6.conf.all.forwarding=0 existing in /etc/sysctl.conf to disable IPv6 behaviors, sysctl will still attempt to look for /proc/sys/net/ipv6/conf/all/forwarding and return a non-zero exit code if that file is not found.
Here is a sample output of current behavior, immediately after applying remediation:
ubuntu@ubuntu:~$ sudo sysctl -p
[sudo] password for ubuntu:
fs.suid_dumpable = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.ip_forward = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/forwarding: No such file or directory
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_source_route: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_source_route: No such file or directory
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_redirects: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_redirects: No such file or directory
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.route.flush = 1
ubuntu@ubuntu:~$ echo $?
255
This non-zero exit code can cause other attempts to reload sysctl to appear to fail, when interpreting the returned exit code.
Describe the Issue
UBUNTU22-CISis configured with the following:ubtu22cis_ipv6_disable: grububtu22cis_ipv6_required: falseExpected Behavior After remediation, reloading
sysctl.confvariables withsysctl -preturns exit code 0Actual Behavior After remediation, reloading
sysctl.confvariables withsysctl -preturns exit code 255Control(s) Affected 3.2.2, 3.3.1, 3.3.2
Environment (please complete the following information):
develAdditional Notes Currently, remediation (without any direct rule overrides) will add lines to
/etc/sysctl.confrelevant to IPv6 disabling, such as the following:net.ipv6.conf.all.forwarding=0If
ubtu22cis_ipv6_disableis configured togrub, the IPv6 networking stack is not loaded by the kernel, and so files such as/proc/sys/net/ipv6/conf/all/forwardingare not created.However, it appears
sysctl's actual behavior is that, despite a line such asnet.ipv6.conf.all.forwarding=0existing in/etc/sysctl.confto disable IPv6 behaviors,sysctlwill still attempt to look for/proc/sys/net/ipv6/conf/all/forwardingand return a non-zero exit code if that file is not found.Here is a sample output of current behavior, immediately after applying remediation:
This non-zero exit code can cause other attempts to reload
sysctlto appear to fail, when interpreting the returned exit code.Possible Solution
191