Ensure IPv6 is disabled through kernel boot parameter
An XCCDF Rule
Description
To disable IPv6 protocol support in the Linux kernel,
add the argument ipv6.disable=1
to the default
GRUB2 command line for the Linux operating system.
To ensure that ipv6.disable=1
is added as a kernel command line
argument to newly installed kernels, add ipv6.disable=1
to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub
as shown below:
GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="ipv6.disable=1"
Rationale
Any unnecessary network stacks, including IPv6, should be disabled to reduce the vulnerability to exploitation.
- ID
- xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument
- Severity
- Low
- References
- Updated
Remediation - OS Build Blueprint
[customizations.kernel]
append = "ipv6.disable=1"
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-82886-3
- PCI-DSS-Req-1.3.1
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common; then
# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*ipv6.disable=.*"' '/etc/default/grub' ; then
# modify the GRUB command-line if an ipv6.disable= arg already exists