The IPv6 protocol handler must not be bound to the network stack unless needed.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-22541 | GEN007700 | SV-38918r1_rule | ECSC-1 | Medium |
| Description |
|---|
| IPv6 is the next version of the Internet protocol. Binding this protocol to the network stack increases the attack surface of the host. |
| STIG | Date |
|---|---|
| Draft AIX Security Technical Implementation Guide | 2011-08-17 |
Details
| Check Text ( C-37907r1_chk ) |
|---|
| AIX comes with IPv6 protocol handler installed and active. The only configured IPv6 address is the loopback localhost adapter. Check if any other interfaces have IPv6 addresses active. # ifconfig -a If any IPv6 addresses are configured on any network interfaces other than loopback and IPv6 is not needed, this is a finding. |
| Fix Text (F-33165r1_fix) |
|---|
| Unbind the IPv6 protocol handler from the network stack. Edit /etc/rc.tcpip and comment out autoconf6 to prevent IPv6 from auto starting. Unconfigure IPv6 addresses from interfaces not used with smit. #smit chinet6 |