The IPv6 protocol handler must not be bound to the network stack unless needed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22541	GEN007700	SV-37606r1_rule	ECSC-1	Medium

Description
IPv6 is the next version of the Internet protocol. Binding this protocol to the network stack increases the attack surface of the host.

STIG	Date
Red Hat Enterprise Linux 5 Security Technical Implementation Guide	2014-07-02

Details

Check Text ( None )
None

Fix Text (F-31643r1_fix)
Remove the capability to use IPv6 protocol handler. Procedure: Edit /etc/sysconfig/network and change NETWORKING_IPV6=yes to NETWORKING_IPV6=no Edit /etc/modprobe.conf and add these lines (if they are not in it): alias net-pf-10 off alias ipv6 off Stop the ipv6tables service by typing: service ip6tables stop Disable the ipv6tables service by typing: chkconfig ip6tables off Remove the ipv6 kernel module # rmmod ipv6 Reboot

Fix Text (F-31643r1_fix)

Remove the capability to use IPv6 protocol handler.

Procedure:
Edit /etc/sysconfig/network and change
NETWORKING_IPV6=yes
to
NETWORKING_IPV6=no

Edit /etc/modprobe.conf and add these lines (if they are not in it):
alias net-pf-10 off
alias ipv6 off

Stop the ipv6tables service by typing:
service ip6tables stop

Disable the ipv6tables service by typing:
chkconfig ip6tables off

Remove the ipv6 kernel module
# rmmod ipv6

Reboot