|
 |
dac76a |
From e14418e1bfbecde7f7091173c8ad9c84b28bd8ee Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Watson Sato <wsato@redhat.com>
|
|
|
dac76a |
Date: Mon, 4 May 2020 18:51:13 +0200
|
|
|
dac76a |
Subject: [PATCH] Add Ansible for kernel_module_ipv6_option_disabled
|
|
|
dac76a |
|
|
|
dac76a |
The remediation does more than disabling only one kernel module, so it
|
|
|
dac76a |
is not suitable for "templation" (use of templating system).
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ansible/shared.yml | 22 +++++++++++++++++++
|
|
|
dac76a |
.../tests/module_disabled.pass.sh | 4 ++++
|
|
|
dac76a |
.../tests/module_enabled.fail.sh | 4 ++++
|
|
|
dac76a |
3 files changed, 30 insertions(+)
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/ansible/shared.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_disabled.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_enabled.fail.sh
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/ansible/shared.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/ansible/shared.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..a6d6229bdc
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/ansible/shared.yml
|
|
|
dac76a |
@@ -0,0 +1,22 @@
|
|
|
dac76a |
+# platform = multi_platform_all
|
|
|
dac76a |
+# reboot = true
|
|
|
dac76a |
+# strategy = disable
|
|
|
dac76a |
+# complexity = low
|
|
|
dac76a |
+# disruption = medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: Disable IPv6 Networking kernel module
|
|
|
dac76a |
+ lineinfile:
|
|
|
dac76a |
+ create: yes
|
|
|
dac76a |
+ dest: "/etc/modprobe.d/ipv6.conf"
|
|
|
dac76a |
+ regexp: "^options\\s+ipv6\\s+disable=\\d"
|
|
|
dac76a |
+ line: "options ipv6 disable=1"
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: Ensure disable_ipv6 (all and default) is set to 1
|
|
|
dac76a |
+ sysctl:
|
|
|
dac76a |
+ name: "{{ item }}"
|
|
|
dac76a |
+ value: "1"
|
|
|
dac76a |
+ state: present
|
|
|
dac76a |
+ reload: yes
|
|
|
dac76a |
+ with_items:
|
|
|
dac76a |
+ - "net.ipv6.conf.all.disable_ipv6"
|
|
|
dac76a |
+ - "net.ipv6.conf.default.disable_ipv6"
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_disabled.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_disabled.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..f22b37b8e8
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_disabled.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,4 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = Red Hat Enterprise Linux 7
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "options ipv6 disable=1" > /etc/modprobe.d/ipv6.conf
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_enabled.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_enabled.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..82122fea40
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/tests/module_enabled.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,4 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = Red Hat Enterprise Linux 7
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "options ipv6 disable=0" > /etc/modprobe.d/ipv6.conf
|