To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.forwarding = 0
Rationale
IP forwarding permits the kernel to forward packets from one network
interface to another. The ability to forward packets between two networks is
only appropriate for systems acting as routers.
- /lib/sysctl.d/
contains: ^[\s]*net.ipv6.conf.default.forwarding.*$
patterns: '*.conf'
file_type: any
register: find_sysctl_d
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-85725-0
- DISA-STIG-SLES-15-040382
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_forwarding
- name: Comment out any occurrences of net.ipv6.conf.default.forwarding from config
files
replace:
path: '{{ item.path }}'
regexp: ^[\s]*net.ipv6.conf.default.forwarding
replace: '#net.ipv6.conf.default.forwarding'
loop: '{{ find_sysctl_d.files }}'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-85725-0
- DISA-STIG-SLES-15-040382
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_forwarding
- name: Comment out any occurrences of net.ipv6.conf.default.forwarding from /etc/sysctl.conf
replace:
path: /etc/sysctl.conf
regexp: ^[\s]*net.ipv6.conf.default.forwarding
replace: '#net.ipv6.conf.default.forwarding'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-85725-0
- DISA-STIG-SLES-15-040382
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_forwarding
- name: XCCDF Value sysctl_net_ipv6_conf_default_forwarding_value # promote to variable
set_fact:
sysctl_net_ipv6_conf_default_forwarding_value: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_forwarding_value" use="legacy"/>
tags:
- always
- name: Ensure sysctl net.ipv6.conf.default.forwarding is set
sysctl:
name: net.ipv6.conf.default.forwarding
value: '{{ sysctl_net_ipv6_conf_default_forwarding_value }}'
sysctl_file: /etc/sysctl.d/net_ipv6_conf_default_forwarding.conf
state: present
reload: true
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-85725-0
- DISA-STIG-SLES-15-040382
- NIST-800-53-CM-6(b)
- NIST-800-53-CM-6.1(iv)
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_net_ipv6_conf_default_forwarding
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.default.forwarding from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.forwarding.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "net.ipv6.conf.default.forwarding" matches to preserve user data
sed -i "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/net_ipv6_conf_default_forwarding.conf'
sysctl_net_ipv6_conf_default_forwarding_value='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_forwarding_value" use="legacy"/>'
#
# Set runtime for net.ipv6.conf.default.forwarding
#
/sbin/sysctl -q -n -w net.ipv6.conf.default.forwarding="$sysctl_net_ipv6_conf_default_forwarding_value"
#
# If net.ipv6.conf.default.forwarding present in /etc/sysctl.conf, change value to appropriate value
# else, add "net.ipv6.conf.default.forwarding = value" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.forwarding")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_forwarding_value"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.forwarding\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.forwarding\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-85725-0"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi