Disable Kernel Parameter for IPv6 Forwarding
An XCCDF Rule
Description
To set the runtime status of the net.ipv6.conf.all.forwarding
kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.forwarding=0To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d
: net.ipv6.conf.all.forwarding = 0
Rationale
IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
- ID
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.all.forwarding from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
Remediation - Ansible
- name: List /etc/sysctl.d/*.conf files
find:
paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/