The IPv6 protocol handler must not be bound to the network stack unless needed.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-22541 | GEN007700 | SV-42321r1_rule | ECSC-1 | Medium |
| Description |
|---|
| IPv6 is the next version of the Internet protocol. Binding this protocol to the network stack increases the attack surface of the host. |
| STIG | Date |
|---|---|
| SOLARIS 9 X86 SECURITY TECHNICAL IMPLEMENTATION GUIDE | 2015-10-01 |
Details
| Check Text ( C-40653r2_chk ) |
|---|
| Ask the SA if the system is on an IPv6 network. If so, this is not applicable. Verify there are no IPv6 addresses bound to network interfaces. # ifconfig -a6 If there are any IPv6 addresses bound to network interfaces, this is a finding. Verify the IPv6 Neighbor Discovery Protocol (NDP) daemon is not running. # ps -ef | grep in.ndp If the NDP daemon is running, this is a finding. |
| Fix Text (F-35955r1_fix) |
|---|
| Disable the IPv6 Neighbor Discovery Protocol daemon. # svcadm disable ndp Remove all IPv6 addresses from network interfaces. Perform the following for every interface with an IPv6 address bound to it. # ifconfig < interface > inet6 down unplumb Remove all IPv6 network interface configuration. # rm /etc/hostname6.* |