UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The IPv6 protocol handler must not be bound to the network stack unless needed.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22541 GEN007700 SV-63431r1_rule ECSC-1 Medium
Description
IPv6 is the next version of the Internet protocol. Binding this protocol to the network stack increases the attack surface of the host.
STIG Date
Oracle Linux 5 Security Technical Implementation Guide 2015-06-05

Details

Check Text ( C-52137r1_chk )
If the IPv6 protocol handler is bound to the network stack, and the system does not need IPv6, this is a finding.

# grep NETWORKING_IPV6 /etc/sysconfig/network
If the line is set to "yes", this is a finding.
Fix Text (F-54041r2_fix)
Remove the capability to use IPv6 protocol handler.

Procedure:
Edit /etc/sysconfig/network and change

NETWORKING_IPV6=yes
to
NETWORKING_IPV6=no

Edit /etc/modprobe.conf and add these lines (if they are not in it):
alias net-pf-10 off
alias ipv6 off

Stop the ipv6tables service by typing:
service ip6tables stop

Disable the ipv6tables service by typing:
chkconfig ip6tables off

Remove the ipv6 kernel module
# rmmod ipv6

Reboot