Review ip6tables related rules #11054

marcusburghardt · 2023-09-07T10:38:19Z

While investigating the #10896 it was noticed some issues with ip6tables related rules:

Here are some improvements opportunities:

These rules should not be executed if IPv6 is not enabled in the system.
their platforms should include ipv6[enabled]
These rules should only be applicable if:
- iptables package is present;
- ntfables and firewalld services are not enabled;
- ufw package is not present;
- So, probably this should be the correct definition of platform:
  - package[iptables] and not package[ufw] and service_disabled[firewalld] and service_disabled[nftables]
They don't have an OVAL but the one could be created to check the /etc/sysconfig/ip6tables file
- The OVAL can't check run-time, but it should be fine to ensure the expected configuration.
There is a SCE script for Ubuntu.
- It could be renamed to shared.sh
- and the header updated to platform = multi_platform_ubuntu

0.1.69

All products where ip6tables is available.

The text was updated successfully, but these errors were encountered:

Mab879 · 2025-01-16T14:21:09Z

@teacup-on-rockingchair Is this valid or can we close it?

teacup-on-rockingchair · 2025-01-17T16:05:49Z

@teacup-on-rockingchair Is this valid or can we close it?

Well the final solution from my perspective is still up for review see #11818

This PR was a bit unlucky 😎 , and thought it got some initial positive review, there was I guess not enough time to pass the process

marcusburghardt added Update Rule Issues or pull requests related to Rules updates. CPE-AL CPE Applicability Language labels Sep 7, 2023

marcusburghardt mentioned this issue Sep 7, 2023

CIS Workstation L2 profile produces unexpected notapplicable results #10896

Closed

teacup-on-rockingchair self-assigned this Sep 14, 2023

marcusburghardt mentioned this issue Jan 30, 2024

Update CIS RHEL7 requirement 3.4.4.3.4 #11502

Merged

Provide feedback