From 82012a2c80e0f0bed75586b7d93570db2121962e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 1 Aug 2022 17:50:37 +0200
Subject: [PATCH 1/2] Add rule for sysctl net.ipv4.conf.all.forwarding

This is rule is similar to sysctl_net_ipv6_conf_all_forwarding and
sysctl_net_ipv4_forward.
---
 .../rule.yml                                  | 44 +++++++++++++++++++
 ...ctl_net_ipv4_conf_all_forwarding_value.var | 17 +++++++
 shared/references/cce-redhat-avail.txt        |  1 -
 3 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
 create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var

diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
new file mode 100644
index 00000000000..7b0066f7c29
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
@@ -0,0 +1,44 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces'
+
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}'
+
+rationale: |-
+    IP forwarding permits the kernel to forward packets from one network
+    interface to another. The ability to forward packets between two networks is
+    only appropriate for systems acting as routers.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86220-1
+
+references:
+    disa: CCI-000366
+    nist: CM-6(b)
+    srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel8: RHEL-08-040259
+
+ocil_clause: 'IP forwarding value is "1" and the system is not router'
+
+ocil: |-
+    {{{ ocil_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}
+    The ability to forward packets is only appropriate for routers.
+
+fixtext: |-
+    Configure {{{ full_name }}} to not allow packet forwarding unless the system is a router with the following commands:
+    {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.forwarding", value="0") | indent(4) }}}
+
+srg_requirement: '{{{ full_name }}} must not perform packet forwarding unless the system is a router.'
+
+platform: machine
+
+template:
+    name: sysctl
+    vars:
+        sysctlvar: net.ipv4.conf.all.forwarding
+        datatype: int
+
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
new file mode 100644
index 00000000000..2aedd6e6432
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: net.ipv4.conf.all.forwarding
+
+description: 'Toggle IPv4 Forwarding'
+
+type: number
+
+operator: equals
+
+interactive: false
+
+options:
+    default: "0"
+    disabled: "0"
+    enabled: 1
+
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 914233f06bf..3e14b73dd71 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -168,7 +168,6 @@ CCE-86216-9
 CCE-86217-7
 CCE-86218-5
 CCE-86219-3
-CCE-86220-1
 CCE-86221-9
 CCE-86222-7
 CCE-86223-5

From 0e2be2dfb7c185ac15e69e110c2e7a76f6896df7 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 1 Aug 2022 17:53:32 +0200
Subject: [PATCH 2/2] Better align with RHEL-08-040259

The item is about net.ipv4.conf.all.forwarding
The update to V1R7 made brought this misalignment to light.
---
 .../sysctl_net_ipv4_ip_forward/rule.yml                       | 1 -
 products/rhel8/profiles/stig.profile                          | 2 +-
 tests/data/profile_stability/rhel8/stig.profile               | 4 ++--
 tests/data/profile_stability/rhel8/stig_gui.profile           | 2 +-
 4 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
index 5c449db7f3a..7acfc0b05b6 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
@@ -45,7 +45,6 @@ references:
     stigid@ol7: OL07-00-040740
     stigid@ol8: OL08-00-040260
     stigid@rhel7: RHEL-07-040740
-    stigid@rhel8: RHEL-08-040259
     stigid@sle12: SLES-12-030430
     stigid@sle15: SLES-15-040380
 
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 4b480bd2c11..6b44436a2b1 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -1127,7 +1127,7 @@ selections:
     - sysctl_net_ipv6_conf_default_accept_source_route
 
     # RHEL-08-040259
-    - sysctl_net_ipv4_ip_forward
+    - sysctl_net_ipv4_conf_all_forwarding
 
     # RHEL-08-040260
     - sysctl_net_ipv6_conf_all_forwarding
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 4bee72830d0..47f53a9d023 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -1,7 +1,7 @@
 title: DISA STIG for Red Hat Enterprise Linux 8
 description: 'This profile contains configuration checks that align to the
 
-    DISA STIG for Red Hat Enterprise Linux 8 V1R7
+    DISA STIG for Red Hat Enterprise Linux 8 V1R7.
 
 
     In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
@@ -395,13 +395,13 @@ selections:
 - sysctl_net_core_bpf_jit_harden
 - sysctl_net_ipv4_conf_all_accept_redirects
 - sysctl_net_ipv4_conf_all_accept_source_route
+- sysctl_net_ipv4_conf_all_forwarding
 - sysctl_net_ipv4_conf_all_rp_filter
 - sysctl_net_ipv4_conf_all_send_redirects
 - sysctl_net_ipv4_conf_default_accept_redirects
 - sysctl_net_ipv4_conf_default_accept_source_route
 - sysctl_net_ipv4_conf_default_send_redirects
 - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-- sysctl_net_ipv4_ip_forward
 - sysctl_net_ipv6_conf_all_accept_ra
 - sysctl_net_ipv6_conf_all_accept_redirects
 - sysctl_net_ipv6_conf_all_accept_source_route
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index ece32d06a6f..c4e60ddcde5 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -405,13 +405,13 @@ selections:
 - sysctl_net_core_bpf_jit_harden
 - sysctl_net_ipv4_conf_all_accept_redirects
 - sysctl_net_ipv4_conf_all_accept_source_route
+- sysctl_net_ipv4_conf_all_forwarding
 - sysctl_net_ipv4_conf_all_rp_filter
 - sysctl_net_ipv4_conf_all_send_redirects
 - sysctl_net_ipv4_conf_default_accept_redirects
 - sysctl_net_ipv4_conf_default_accept_source_route
 - sysctl_net_ipv4_conf_default_send_redirects
 - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-- sysctl_net_ipv4_ip_forward
 - sysctl_net_ipv6_conf_all_accept_ra
 - sysctl_net_ipv6_conf_all_accept_redirects
 - sysctl_net_ipv6_conf_all_accept_source_route