The IPv6 protocol handler must not be bound to the network stack unless needed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-38546	RHEL-06-000098	SV-50347r3_rule		Medium

Description
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.

STIG	Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide	2016-07-22

Details

Check Text ( None )
None

Fix Text (F-43494r3_fix)
To prevent the IPv6 kernel module ("ipv6") from binding to the IPv6 networking stack, add the following line to "/etc/modprobe.d/disabled.conf" (or another file in "/etc/modprobe.d"): options ipv6 disable=1 This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol. Or add the following line to "/etc/sysctl.conf" to unhook the module: net.ipv6.conf.all.disable_ipv6 = 1

Fix Text (F-43494r3_fix)

To prevent the IPv6 kernel module ("ipv6") from binding to the IPv6 networking stack, add the following line to "/etc/modprobe.d/disabled.conf" (or another file in "/etc/modprobe.d"):

options ipv6 disable=1

This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol.

Or add the following line to "/etc/sysctl.conf" to unhook the module:

net.ipv6.conf.all.disable_ipv6 = 1