Skip to content

Ensure IPv6 is disabled through kernel boot parameter

An XCCDF Rule

Description

To disable IPv6 protocol support in the Linux kernel, add the argument ipv6.disable=1 to the default GRUB2 command line for the Linux operating system. To ensure that ipv6.disable=1 is added as a kernel command line argument to newly installed kernels, add ipv6.disable=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="ipv6.disable=1"

Rationale

Any unnecessary network stacks, including IPv6, should be disabled to reduce the vulnerability to exploitation.

ID
xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument
Severity
Low
References
Updated



Remediation - OS Build Blueprint

[customizations.kernel]
append = "ipv6.disable=1"

Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-82886-3
  - PCI-DSS-Req-1.3.1

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common; then

# Correct the form of default kernel command line in GRUB
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*ipv6.disable=.*"'  '/etc/default/grub' ; then
       # modify the GRUB command-line if an ipv6.disable= arg already exists