IPv6 disabling doesn't respect declared mechanism

Question

IPv6 disabling doesn't respect declared mechanism

joshavant opened this issue a year ago · 0 comments

Describe the Issue
UBUNTU22-CIS is configured with the following:
ubtu22cis_ipv6_disable: grub
ubtu22cis_ipv6_required: false

Expected Behavior
After remediation, reloading sysctl.conf variables with sysctl -p returns exit code 0

Actual Behavior
After remediation, reloading sysctl.conf variables with sysctl -p returns exit code 255

Control(s) Affected
3.2.2, 3.3.1, 3.3.2

Environment (please complete the following information):

branch being used: devel
Ansible Version: 2.16.0
Host Python Version: N/A
Ansible Server Python Version: 2.7.16
Additional Details: Ubuntu 22.04.3 is Server OS

Additional Notes
Currently, remediation (without any direct rule overrides) will add lines to /etc/sysctl.conf relevant to IPv6 disabling, such as the following:
net.ipv6.conf.all.forwarding=0

If ubtu22cis_ipv6_disable is configured to grub, the IPv6 networking stack is not loaded by the kernel, and so files such as /proc/sys/net/ipv6/conf/all/forwarding are not created.

However, it appears sysctl's actual behavior is that, despite a line such as net.ipv6.conf.all.forwarding=0 existing in /etc/sysctl.conf to disable IPv6 behaviors, sysctl will still attempt to look for /proc/sys/net/ipv6/conf/all/forwarding and return a non-zero exit code if that file is not found.

Here is a sample output of current behavior, immediately after applying remediation:

ubuntu@ubuntu:~$ sudo sysctl -p
[sudo] password for ubuntu: 
fs.suid_dumpable = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.ip_forward = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/forwarding: No such file or directory
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_source_route: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_source_route: No such file or directory
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/accept_redirects: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv6/conf/default/accept_redirects: No such file or directory
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.route.flush = 1
ubuntu@ubuntu:~$ echo $?
255

This non-zero exit code can cause other attempts to reload sysctl to appear to fail, when interpreting the returned exit code.

Possible Solution
#191