From 4d8b6b4f7a2c1cfd9e8b0265c3972c6eea9ba059 Mon Sep 17 00:00:00 2001
From: Christian Hagenest <christian.hagenest@suse.com>
Date: Tue, 6 Dec 2022 16:56:47 +0100
Subject: [PATCH 1/7] add bash remediation to set_ipv6_loopback_traffic

---
 .../set_ipv6_loopback_traffic/bash/shared.sh                | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh
index 1cf0625e02f..2c9161f9060 100644
--- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh
@@ -1,5 +1,5 @@
 # platform = multi_platform_sle
 
-iptables -A INPUT -i lo -j ACCEPT
-iptables -A OUTPUT -o lo -j ACCEPT
-iptables -A INPUT -s 127.0.0.0/8 -j DROP
+ip6tables -A INPUT -i lo -j ACCEPT
+ip6tables -A OUTPUT -o lo -j ACCEPT
+ip6tables -A INPUT -s ::1 -j DROP 
\ No newline at end of file

From 774014a87da5a4a8dd6ea28b1b2e4ba16f7ef300 Mon Sep 17 00:00:00 2001
From: Christian Hagenest <christian.hagenest@suse.com>
Date: Tue, 6 Dec 2022 18:19:41 +0100
Subject: [PATCH 2/7] add ansible remed for set_ipv6_loopback_traffic

---
 .../ansible/shared.yml                        | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/ansible/shared.yml

diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/ansible/shared.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/ansible/shared.yml
new file mode 100644
index 00000000000..2db79d71099
--- /dev/null
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/ansible/shared.yml
@@ -0,0 +1,22 @@
+# platform = multi_platform_sle
+
+- name: Allow incoming traffic on the loopback interface
+  ansible.builtin.iptables:
+    ipv6: yes
+    chain: INPUT
+    in_interface: lo
+    jump: ACCEPT
+
+- name: Allow outgoing traffic on the loopback interface
+  ansible.builtin.iptables:
+    ipv6: yes
+    chain: OUTPUT
+    out_interface: lo
+    jump: ACCEPT
+
+- name: Drop incoming traffic from the localhost
+  ansible.builtin.iptables:
+    ipv6: yes
+    chain: INPUT
+    source: "::1"
+    jump: DROP

From ddb687f56236677a4e79035d589973597c080b5c Mon Sep 17 00:00:00 2001
From: Christian Hagenest <christian.hagenest@suse.com>
Date: Wed, 7 Dec 2022 13:43:06 +0100
Subject: [PATCH 3/7] Update CIS Nr for set_ipv6_loopback_traffic

---
 .../iptables_activation/set_ipv6_loopback_traffic/rule.yml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml
index b317466ce6e..9515ab2a791 100644
--- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/rule.yml
@@ -22,7 +22,7 @@ identifiers:
 
 references:
     cis@sle12: 3.5.3.1
-    cis@sle15: 3.5.3.2.2 
+    cis@sle15: 3.5.3.3.2 
     pcidss: Req-1.4.1
 
 warnings:

From dc5f1cc5b19966656965a55cd1ab0cc18b0103bd Mon Sep 17 00:00:00 2001
From: Christian Hagenest <christian.hagenest@suse.com>
Date: Wed, 7 Dec 2022 13:45:50 +0100
Subject: [PATCH 4/7] Add check for ipv6-disable to ipv6_loopback bash

---
 .../set_ipv6_loopback_traffic/bash/shared.sh             | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh
index 2c9161f9060..36ab5912524 100644
--- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh
@@ -1,5 +1,8 @@
 # platform = multi_platform_sle
 
-ip6tables -A INPUT -i lo -j ACCEPT
-ip6tables -A OUTPUT -o lo -j ACCEPT
-ip6tables -A INPUT -s ::1 -j DROP 
\ No newline at end of file
+if [ $(sysctl -n net.ipv6.conf.all.disable_ipv6) -eq 0 ]; then
+  # IPv6 is not disabled, so run the script
+  ip6tables -A INPUT -i lo -j ACCEPT
+  ip6tables -A OUTPUT -o lo -j ACCEPT
+  ip6tables -A INPUT -s ::1 -j DROP
+fi
\ No newline at end of file

From 0bad90e3a7f293794dfcc879e6e2cfd56c27cee8 Mon Sep 17 00:00:00 2001
From: Christian Hagenest <christian.hagenest@suse.com>
Date: Wed, 7 Dec 2022 14:04:23 +0100
Subject: [PATCH 5/7] add ipv6 enabled check to ansible f ipv6 loopback

---
 .../set_ipv6_loopback_traffic/ansible/shared.yml          | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/ansible/shared.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/ansible/shared.yml
index 2db79d71099..8dd03dbefa3 100644
--- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/ansible/shared.yml
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/ansible/shared.yml
@@ -1,11 +1,17 @@
 # platform = multi_platform_sle
 
+- name: Check if IPv6 is enabled
+  command: sysctl -n net.ipv6.conf.all.disable_ipv6
+  register: ipv6_status
+  failed_when: ipv6_status.stdout != "0"
+
 - name: Allow incoming traffic on the loopback interface
   ansible.builtin.iptables:
     ipv6: yes
     chain: INPUT
     in_interface: lo
     jump: ACCEPT
+  when: "{{ ipv6_status.stdout == '0' }}"
 
 - name: Allow outgoing traffic on the loopback interface
   ansible.builtin.iptables:
@@ -13,6 +19,7 @@
     chain: OUTPUT
     out_interface: lo
     jump: ACCEPT
+  when: "{{ ipv6_status.stdout == '0' }}"
 
 - name: Drop incoming traffic from the localhost
   ansible.builtin.iptables:
@@ -20,3 +27,4 @@
     chain: INPUT
     source: "::1"
     jump: DROP
+  when: "{{ ipv6_status.stdout == '0' }}"
\ No newline at end of file

From 65cf65589bccc9cd9fae683450a791ecfe973a5d Mon Sep 17 00:00:00 2001
From: Christian Hagenest <christian.hagenest@suse.com>
Date: Wed, 7 Dec 2022 14:09:22 +0100
Subject: [PATCH 6/7] add newline at end of ipv6 loopback remed

---
 .../set_ipv6_loopback_traffic/ansible/shared.yml                | 2 +-
 .../set_ipv6_loopback_traffic/bash/shared.sh                    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/ansible/shared.yml b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/ansible/shared.yml
index 8dd03dbefa3..95355b668e2 100644
--- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/ansible/shared.yml
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/ansible/shared.yml
@@ -27,4 +27,4 @@
     chain: INPUT
     source: "::1"
     jump: DROP
-  when: "{{ ipv6_status.stdout == '0' }}"
\ No newline at end of file
+  when: "{{ ipv6_status.stdout == '0' }}"
diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh
index 36ab5912524..872d24b587b 100644
--- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh
@@ -5,4 +5,4 @@ if [ $(sysctl -n net.ipv6.conf.all.disable_ipv6) -eq 0 ]; then
   ip6tables -A INPUT -i lo -j ACCEPT
   ip6tables -A OUTPUT -o lo -j ACCEPT
   ip6tables -A INPUT -s ::1 -j DROP
-fi
\ No newline at end of file
+fi

From 816e30b68950e7a9487f857d28fa66eb21452411 Mon Sep 17 00:00:00 2001
From: Christian Hagenest <christian.hagenest@suse.com>
Date: Wed, 7 Dec 2022 16:55:09 +0100
Subject: [PATCH 7/7] fix bash syntax for set_ipv6_loopback_traffic

---
 .../set_ipv6_loopback_traffic/bash/shared.sh                    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh
index 872d24b587b..c0e09d6c16f 100644
--- a/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh
+++ b/linux_os/guide/system/network/network-iptables/iptables_activation/set_ipv6_loopback_traffic/bash/shared.sh
@@ -1,6 +1,6 @@
 # platform = multi_platform_sle
 
-if [ $(sysctl -n net.ipv6.conf.all.disable_ipv6) -eq 0 ]; then
+if [ "$(sysctl -n net.ipv6.conf.all.disable_ipv6)" -eq 0 ]; then
   # IPv6 is not disabled, so run the script
   ip6tables -A INPUT -i lo -j ACCEPT
   ip6tables -A OUTPUT -o lo -j ACCEPT