IPv6 related audit/apply fail (or disable IPv6) because of util function `is_ipv6_enabled`

[SpraxDev]

#57 introduced the is_ipv6_enabled helper function, which is used e.g. in

debian-cis/bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh

Lines 20 to 66 in 9a225c6

	SYSCTL_PARAMS='net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0'
	# This function will be called if the script status is on enabled / audit mode
	audit() {
	is_ipv6_enabled
	if [ "$FNRET" = 0 ]; then
	for SYSCTL_VALUES in $SYSCTL_PARAMS; do
	SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
	SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
	debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
	has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
	if [ "$FNRET" != 0 ]; then
	crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
	elif [ "$FNRET" = 255 ]; then
	warn "$SYSCTL_PARAM does not exist -- Typo?"
	else
	ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
	fi
	done
	else
	ok "ipv6 disabled"
	fi
	}
	# This function will be called if the script status is on enabled mode
	apply() {
	is_ipv6_enabled
	if [ "$FNRET" = 0 ]; then
	for SYSCTL_VALUES in $SYSCTL_PARAMS; do
	SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
	SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
	debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
	has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
	if [ "$FNRET" != 0 ]; then
	warn "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT, fixing"
	set_sysctl_param "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
	sysctl -w net.ipv4.route.flush=1 >/dev/null
	elif [ "$FNRET" = 255 ]; then
	warn "$SYSCTL_PARAM does not exist -- Typo?"
	else
	ok "$SYSCTL_PARAM correctly set to $SYSCTL_EXP_RESULT"
	fi
	done
	else
	ok "ipv6 disabled"
	fi
	}

You can see in line 20 that SYSCTL_PARAMS is set.
When running an audit, I see other sysctl values being checked:

hardening                 [INFO] Treating [REDACTED]/debian-cis-4.1-4/bin/hardening/3.3.9_disable_ipv6_router_advertisement.sh
3.3.9_disable_ipv6_router [INFO] Working on 3.3.9_disable_ipv6_router_advertisement
3.3.9_disable_ipv6_router [INFO] [DESCRIPTION] Disable IPv6 router advertisements.
3.3.9_disable_ipv6_router [INFO] Checking Configuration
3.3.9_disable_ipv6_router [INFO] Performing audit
3.3.9_disable_ipv6_router [ KO ] net.ipv6.conf.all.disable_ipv6 was not set to 1
3.3.9_disable_ipv6_router [ KO ] net.ipv6.conf.default.disable_ipv6 was not set to 1
3.3.9_disable_ipv6_router [ KO ] net.ipv6.conf.lo.disable_ipv6 was not set to 1
3.3.9_disable_ipv6_router [ KO ] net.ipv6.conf.all.disable_ipv6 was not set to 1
3.3.9_disable_ipv6_router [ KO ] net.ipv6.conf.default.disable_ipv6 was not set to 1
3.3.9_disable_ipv6_router [ KO ] net.ipv6.conf.lo.disable_ipv6 was not set to 1
3.3.9_disable_ipv6_router [ KO ] Check Failed

The values being checked are the same as set/overridden in the is_ipv6_enabled function:

debian-cis/lib/utils.sh

Lines 53 to 71 in 9a225c6

	is_ipv6_enabled() {
	SYSCTL_PARAMS='net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1'
	does_sysctl_param_exists "net.ipv6"
	local ENABLE=1
	if [ "$FNRET" = 0 ]; then
	for SYSCTL_VALUES in $SYSCTL_PARAMS; do
	SYSCTL_PARAM=$(echo "$SYSCTL_VALUES" | cut -d= -f 1)
	SYSCTL_EXP_RESULT=$(echo "$SYSCTL_VALUES" | cut -d= -f 2)
	debug "$SYSCTL_PARAM should be set to $SYSCTL_EXP_RESULT"
	has_sysctl_param_expected_result "$SYSCTL_PARAM" "$SYSCTL_EXP_RESULT"
	if [ "$FNRET" != 0 ]; then
	crit "$SYSCTL_PARAM was not set to $SYSCTL_EXP_RESULT"
	ENABLE=0
	fi
	done
	fi
	FNRET=$ENABLE
	}

I haven't tested it, but I would expect this to also mess with the apply function just disabling IPv6 instead.

---

I am running the 4.1-4 release from GitHub on a Debian 12 installation.

[damcav35]

Hi @SpraxDev ,

Thanks for your report.

If i understand correctly, for instance, the check 3.3.9_disable_ipv6_router_advertisement is going to fail because ipv6 is enabled, even if the correct ipv6 router advertisement parameters are set.

So i think you're right, the current way of doing does not make much sense.
Because if we fail because ipv6 is enabled, then this whole check is useless.

[damcav35]

And also, SYSCTL_PARAMS from 3.3.9_disable_ipv6_router_advertisement are overriden by the one from the is_ipv6_enabled function