The IPv6 protocol handler must not be bound to the network stack unless needed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22541	GEN007700	SV-45980r1_rule		Medium

Description
IPv6 is the next version of the Internet protocol. Binding this protocol to the network stack increases the attack surface of the host.

STIG	Date
SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide	2018-09-19

Details

Check Text ( C-43262r1_chk )
Use the ifconfig command to determine if any network interface has an IPv6 address bound to it: # /sbin/ifconfig \| grep inet6 If any lines are returned that indicate IPv6 is active and the system does not need IPv6, this is a finding.

Fix Text (F-39345r2_fix)
Remove the capability to use IPv6 protocol handler. Procedure: Update the variable “IPV6_DISABLE” using YaST in the /etc/sysconfig editor under the ‘System’ > ‘Kernel’ tree. Setting this variable to “YES” deactivates IPv6 at boot time. Reboot the system to implement the change. NOTE: This change may affect other software product(s) that have their own IPv6 configuration settings.

Fix Text (F-39345r2_fix)

Remove the capability to use IPv6 protocol handler.

Procedure:
Update the variable “IPV6_DISABLE” using YaST in the /etc/sysconfig editor under the ‘System’ > ‘Kernel’ tree. Setting this variable to “YES” deactivates IPv6 at boot time. Reboot the system to implement the change.

NOTE: This change may affect other software product(s) that have their own IPv6 configuration settings.