SLES and OEL errors when ipv6 is disabled

[STetzel]

We disable ipv6 on our SLES and OEL systems using install ipv6 /bin/true in /etc/modprobe.d/ipv6

Notice: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.default.router_solicitations]/Exec[enforce-sysctl-value-net.ipv6.conf.default.router_solicitations]/returns: /proc/sys/net/ipv6/conf/default/router_solicitations: No such file or directory
Error: /sbin/sysctl -w net.ipv6.conf.default.router_solicitations=0 returned 255 instead of one of [0]
Error: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.default.router_solicitations]/Exec[enforce-sysctl-value-net.ipv6.conf.default.router_solicitations]/returns: change from notrun to 0 failed: /sbin/sysctl -w net.ipv6.conf.default.router_solicitations=0 returned 255 instead of one of [0]
Notice: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.default.accept_ra_defrtr]/Exec[enforce-sysctl-value-net.ipv6.conf.default.accept_ra_defrtr]/returns: /proc/sys/net/ipv6/conf/default/accept_ra_defrtr: No such file or directory
Error: /sbin/sysctl -w net.ipv6.conf.default.accept_ra_defrtr=0 returned 255 instead of one of [0]
Error: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.default.accept_ra_defrtr]/Exec[enforce-sysctl-value-net.ipv6.conf.default.accept_ra_defrtr]/returns: change from notrun to 0 failed: /sbin/sysctl -w net.ipv6.conf.default.accept_ra_defrtr=0 returned 255 instead of one of [0]
Notice: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.all.accept_source_route]/Exec[enforce-sysctl-value-net.ipv6.conf.all.accept_source_route]/returns: /proc/sys/net/ipv6/conf/all/accept_source_route: No such file or directory
Error: /sbin/sysctl -w net.ipv6.conf.all.accept_source_route=0 returned 255 instead of one of [0]
Error: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.all.accept_source_route]/Exec[enforce-sysctl-value-net.ipv6.conf.all.accept_source_route]/returns: change from notrun to 0 failed: /sbin/sysctl -w net.ipv6.conf.all.accept_source_route=0 returned 255 instead of one of [0]
Notice: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.default.accept_redirects]/Exec[enforce-sysctl-value-net.ipv6.conf.default.accept_redirects]/returns: /proc/sys/net/ipv6/conf/default/accept_redirects: No such file or directory
Error: /sbin/sysctl -w net.ipv6.conf.default.accept_redirects=0 returned 255 instead of one of [0]
Error: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.default.accept_redirects]/Exec[enforce-sysctl-value-net.ipv6.conf.default.accept_redirects]/returns: change from notrun to 0 failed: /sbin/sysctl -w net.ipv6.conf.default.accept_redirects=0 returned 255 instead of one of [0]
Notice: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.default.accept_source_route]/Exec[enforce-sysctl-value-net.ipv6.conf.default.accept_source_route]/returns: /proc/sys/net/ipv6/conf/default/accept_source_route: No such file or directory
Error: /sbin/sysctl -w net.ipv6.conf.default.accept_source_route=0 returned 255 instead of one of [0]
Error: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.default.accept_source_route]/Exec[enforce-sysctl-value-net.ipv6.conf.default.accept_source_route]/returns: change from notrun to 0 failed: /sbin/sysctl -w net.ipv6.conf.default.accept_source_route=0 returned 255 instead of one of [0]
Notice: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.default.max_addresses]/Exec[enforce-sysctl-value-net.ipv6.conf.default.max_addresses]/returns: /proc/sys/net/ipv6/conf/default/max_addresses: No such file or directory
Error: /sbin/sysctl -w net.ipv6.conf.default.max_addresses=1 returned 255 instead of one of [0]
Error: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.default.max_addresses]/Exec[enforce-sysctl-value-net.ipv6.conf.default.max_addresses]/returns: change from notrun to 0 failed: /sbin/sysctl -w net.ipv6.conf.default.max_addresses=1 returned 255 instead of one of [0]
Notice: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.all.disable_ipv6]/Exec[enforce-sysctl-value-net.ipv6.conf.all.disable_ipv6]/returns: /proc/sys/net/ipv6/conf/all/disable_ipv6: No such file or directory
Error: /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1 returned 255 instead of one of [0]
Error: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.all.disable_ipv6]/Exec[enforce-sysctl-value-net.ipv6.conf.all.disable_ipv6]/returns: change from notrun to 0 failed: /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1 returned 255 instead of one of [0]
Notice: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.default.accept_ra_rtr_pref]/Exec[enforce-sysctl-value-net.ipv6.conf.default.accept_ra_rtr_pref]/returns: /proc/sys/net/ipv6/conf/default/accept_ra_rtr_pref: No such file or directory
Error: /sbin/sysctl -w net.ipv6.conf.default.accept_ra_rtr_pref=0 returned 255 instead of one of [0]
Error: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.default.accept_ra_rtr_pref]/Exec[enforce-sysctl-value-net.ipv6.conf.default.accept_ra_rtr_pref]/returns: change from notrun to 0 failed: /sbin/sysctl -w net.ipv6.conf.default.accept_ra_rtr_pref=0 returned 255 instead of one of [0]
Notice: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.all.accept_ra]/Exec[enforce-sysctl-value-net.ipv6.conf.all.accept_ra]/returns: /proc/sys/net/ipv6/conf/all/accept_ra: No such file or directory
Error: /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0 returned 255 instead of one of [0]
Error: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.all.accept_ra]/Exec[enforce-sysctl-value-net.ipv6.conf.all.accept_ra]/returns: change from notrun to 0 failed: /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0 returned 255 instead of one of [0]
Notice: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.default.autoconf]/Exec[enforce-sysctl-value-net.ipv6.conf.default.autoconf]/returns: /proc/sys/net/ipv6/conf/default/autoconf: No such file or directory
Error: /sbin/sysctl -w net.ipv6.conf.default.autoconf=0 returned 255 instead of one of [0]
Error: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.default.autoconf]/Exec[enforce-sysctl-value-net.ipv6.conf.default.autoconf]/returns: change from notrun to 0 failed: /sbin/sysctl -w net.ipv6.conf.default.autoconf=0 returned 255 instead of one of [0]
Notice: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.all.accept_redirects]/Exec[enforce-sysctl-value-net.ipv6.conf.all.accept_redirects]/returns: /proc/sys/net/ipv6/conf/all/accept_redirects: No such file or directory
Error: /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0 returned 255 instead of one of [0]
Error: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.all.accept_redirects]/Exec[enforce-sysctl-value-net.ipv6.conf.all.accept_redirects]/returns: change from notrun to 0 failed: /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0 returned 255 instead of one of [0]
Notice: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.default.accept_ra_pinfo]/Exec[enforce-sysctl-value-net.ipv6.conf.default.accept_ra_pinfo]/returns: /proc/sys/net/ipv6/conf/default/accept_ra_pinfo: No such file or directory
Error: /sbin/sysctl -w net.ipv6.conf.default.accept_ra_pinfo=0 returned 255 instead of one of [0]
Error: /Stage[main]/Os_hardening::Sysctl/Sysctl[net.ipv6.conf.default.accept_ra_pinfo]/Exec[enforce-sysctl-value-net.ipv6.conf.default.accept_ra_pinfo]/returns: change from notrun to 0 failed: /sbin/sysctl -w net.ipv6.conf.default.accept_ra_pinfo=0 returned 255 instead of one of [0]
^CNotice: Caught INT; exiting

Is it possible before the ipv6 configurations to check whether ipv6 is activated at all?

For example, if the /proc/net/if_inet6 file exists !

[artem-sidorenko]

@STetzel thanks for this bug report! Any reason why are not using net.ipv6.conf.all.disable_ipv6 in order to disable ipv6? As far I remember this was the recommended way to do so, exactly because of this problems

cc @bitvijays

[STetzel]

@artem-sidorenko The problem is that this procedure is performed by the integrated configuration tool "YAST". And is defined by SLES as Best-Practice. Also Oralce Enterprise Linux cc @bitvijays

[artem-sidorenko]

@STetzel its weird. Do you have maybe some references here? Do not get me wrong, I believe you, I want to understand the reasons, as the official RH recommendation is completely different:

• https://wiki.centos.org/FAQ/CentOS6#head-d47139912868bcb9d754441ecb6a8a10d41781df
• https://bugzilla.redhat.com/show_bug.cgi?id=641836#c17

[STetzel]

@artem-sidorenko yeah your right but we have also OEL5 systems ;-)

[STetzel]

system : "Linux" type : FILE_CONTENT_CHECK description : "4.4.2 Disable IPv6 'options ipv6 disable=1'" info : "Configuration Level : Level-I" info : "OS Default : N/A" info : "Reboot Required : Yes" info : "Scorable Item : No" reference : "CCE|CCE-3562-6" see_also : "https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_5_Benchmark_v2.1.0.pdf" file : "/etc/modprobe.conf" regex : "^[\\s]*options\\s+ipv6\\s" expect : "^[\\s]*options\\s+ipv6\\s+[\"]disable\\s*=\\s*1[\"]\\s*$"

I also find that it is better not to start something when it is not necessary. Therefore, if the module is not loaded why should we set parameters for it.

[artem-sidorenko]

Regarding OEL5, it looks like its EOL, so that should not be the reason to support it :-)

Still if I share the similar view like RH guys (and I faced a lot of problems by removing the ipv6 module completely), I think the use case is still valid and some people might have another view or maybe reasons to do it this way.

Maybe we could make the ipv6 sysctl flags dependent on the global manage ipv6 hardening switch, so people could disable that completely? @STetzel would this be fine for you?

@atomic111 @chris-rock @bitvijays whats your view on this problem?

[bitvijays]

@artem-sidorenko Looks alright to me. Just to make sure we are on the same page. You meant that "We should check /etc/modprobe.conf file and see if there's a entry of "install ipv6 /bin/true". If it's there, ignore ipv6 check right?

[STetzel]

Hello,

Why do not you check if /proc/net/if_inet6 exists as „file“ ? look http://mirrors.deepspace6.net/Linux+IPv6-HOWTO/proc-net.html http://mirrors.deepspace6.net/Linux+IPv6-HOWTO/proc-net.html

[ -f /proc/net/if_inet6 ] && echo 'IPv6 ready system!' || echo 'No IPv6 support found! Compile the kernel or load the modul!!'

regards Sascha (STetzel)

/proc/net/if_inet6 exist !

Am 06.06.2017 um 02:49 schrieb Vijay Kumar notifications@github.com:

@artem-sidorenko https://github.com/artem-sidorenko Looks alright to me. Just to make sure we are on the same page. You meant that "We should check /etc/modprobe.conf file and see if there's a entry of "install ipv6 /bin/true". If it's there, ignore ipv6 check right?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/dev-sec/puppet-os-hardening/issues/82#issuecomment-306350210, or mute the thread https://github.com/notifications/unsubscribe-auth/AAgG6g1zbFIp1zfW57PHF4HovAoHVIBcks5sBKIOgaJpZM4NpQ0c.

[STetzel]

Hello,

any news about this ?!?

Regards Sascha (Stetzel)

[artem-sidorenko]

Why do not you check if /proc/net/if_inet6 exists as „file“

@STetzel I personally do not like such intelligent logic in the security and automation area, often they produce hidden errors which are hard to troubleshoot and to understand. I still think a configuration flag here is good enough and its more reliable than logic with any autodetection behavior. Via config flag you could configure your expected behavior (e.g. ipv6 hardening is enabled), in worst case (e.g. unexpected state of the system where ipv6 module is not present) your puppet run will fail and make the problem visible

Looks alright to me. Just to make sure we are on the same page. You meant that "We should check /etc/modprobe.conf file and see if there's a entry of "install ipv6 /bin/true". If it's there, ignore ipv6 check right?

@bitvijays No, I think we could introduce here another option manage_ipv6 and set its default too true. This can be moved to the new if $manage_ipv6 block. Users who do not want to have ipv6 managed, could disabled it completely

[bitvijays]

@artem-sidorenko manage_ipv6 sounds good to me. It seems to be a way better approach!

Cheers, bitvijays

[STetzel]

@artem-sidorenko, @bitvijays you are right it is the best approach!

regards Sascha (Stetzel)

[bitvijays]

@STetzel Would it be alright for you to create a Pull request? @artem-sidorenko Should we go-ahead with this?

[artem-sidorenko]

@bitvijays totally fine for me, I'll implement a similar thing for chef-os-hardening :)

[STetzel]

Added Pullrequest #87

[STetzel]

it works ;-)