The IPv6 protocol handler must not be bound to the network stack unless needed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22541	GEN007700	SV-63431r1_rule	ECSC-1	Medium

Description
IPv6 is the next version of the Internet protocol. Binding this protocol to the network stack increases the attack surface of the host.

STIG	Date
Oracle Linux 5 Security Technical Implementation Guide	2015-03-26

Details

Check Text ( C-52137r1_chk )
If the IPv6 protocol handler is bound to the network stack, and the system does not need IPv6, this is a finding. # grep NETWORKING_IPV6 /etc/sysconfig/network If the line is set to "yes", this is a finding.

Fix Text (F-54041r2_fix)
Remove the capability to use IPv6 protocol handler. Procedure: Edit /etc/sysconfig/network and change NETWORKING_IPV6=yes to NETWORKING_IPV6=no Edit /etc/modprobe.conf and add these lines (if they are not in it): alias net-pf-10 off alias ipv6 off Stop the ipv6tables service by typing: service ip6tables stop Disable the ipv6tables service by typing: chkconfig ip6tables off Remove the ipv6 kernel module # rmmod ipv6 Reboot

Fix Text (F-54041r2_fix)

Remove the capability to use IPv6 protocol handler.

Procedure:
Edit /etc/sysconfig/network and change

NETWORKING_IPV6=yes
to
NETWORKING_IPV6=no

Edit /etc/modprobe.conf and add these lines (if they are not in it):
alias net-pf-10 off
alias ipv6 off

Stop the ipv6tables service by typing:
service ip6tables stop

Disable the ipv6tables service by typing:
chkconfig ip6tables off

Remove the ipv6 kernel module
# rmmod ipv6

Reboot