Controls 3.3.3.1/5/8 use the wrong variable in the when conditional #116
Description
Describe the Issue
The controls 3.3.3.1/5/8, seem to be failing because they do not pass the checks for IPV6 only for IPV4. If we look at the execution of the role, the tasks from those controls that are responsible for IPV6 are getting skipped, because of a wrong variable used in the when conditional.
Expected Behavior
The controls should use the right variable in the when conditionals.
Actual Behavior
The tasks that should have implemented IPV6 as well were skipped because of the value of ubtu24cis_ipv6_disable variable. It states in the documentation that this variable's value holds the mechanism of how the disabling of IPV6 is carried out, either with grub or sysctl.
If ubtu24cis_ipv6_disable has the value of sysctl then the IPV6 tasks for 3.3.1 Ensure ip forwarding is disabled; 3.3.5 Ensure icmp redirects are not accepted; 3.3.8 Ensure source routed packets are not acceptedwill be executed. Also, if it has thesysctl` value, it disables IPV6 in tasks for control 3.1.1.
I believe this is an error and this variable should have not been used in the 3.3.1/5/8 controls.
When this variable's value is set to grub the IPV6 tasks of those controls do not get executed --> the logic here is kind of right, IPV6 is disabled so there is no need for those tasks to run. But if we change that value to sysctl, IPV6 still gets disabled and suddenly these controls are allowed to run --> here is where the logic starts to get wrong!
The when conditionals of those controls for the IPV6 related tasks should have used the ubtu24cis_ipv6_required and they should only run if that variable is true.
Control(s) Affected
- Control 3.3.1
- Control 3.3.5
- Control 3.3.8
Environment (please complete the following information):
- branch being used: [e.g. devel]
Additional Notes
Anything additional goes here
Possible Solution
The solution will be provided in a PR.