Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-22541 | GEN007700 | SV-63431r1_rule | ECSC-1 | Medium |
Description |
---|
IPv6 is the next version of the Internet protocol. Binding this protocol to the network stack increases the attack surface of the host. |
STIG | Date |
---|---|
Oracle Linux 5 Security Technical Implementation Guide | 2015-06-05 |
Check Text ( C-52137r1_chk ) |
---|
If the IPv6 protocol handler is bound to the network stack, and the system does not need IPv6, this is a finding. # grep NETWORKING_IPV6 /etc/sysconfig/network If the line is set to "yes", this is a finding. |
Fix Text (F-54041r2_fix) |
---|
Remove the capability to use IPv6 protocol handler. Procedure: Edit /etc/sysconfig/network and change NETWORKING_IPV6=yes to NETWORKING_IPV6=no Edit /etc/modprobe.conf and add these lines (if they are not in it): alias net-pf-10 off alias ipv6 off Stop the ipv6tables service by typing: service ip6tables stop Disable the ipv6tables service by typing: chkconfig ip6tables off Remove the ipv6 kernel module # rmmod ipv6 Reboot |