Ensure IPv6 is disabled through kernel boot parameter

An XCCDF Rule

Description

To disable IPv6 protocol support in the Linux kernel, add the argument ipv6.disable=1 to the default GRUB2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain ipv6.disable=1 as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"

Rationale

Any unnecessary network stacks, including IPv6, should be disabled to reduce the vulnerability to exploitation.

ID: xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument
Severity: Low
References: Req-1.3.1 Req-1.3.2
Updated: about 1 month ago

Remediation Templates

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - PCI-DSS-Req-1.3.1
  - PCI-DSS-Req-1.3.2  - grub2_ipv6_disable_argument
  - low_disruption
  - low_severity
  - medium_complexity
  - reboot_required
  - restrict_strategy
- name: Update grub defaults and the bootloader menu
  command: /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
  when: '"grub2-common" in ansible_facts.packages'
  tags:
  - PCI-DSS-Req-1.3.1
  - PCI-DSS-Req-1.3.2
  - grub2_ipv6_disable_argument
  - low_disruption
  - low_severity
  - medium_complexity
  - reboot_required
  - restrict_strategy

[customizations.kernel]
append = "ipv6.disable=1"

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common; then
grubby --update-kernel=ALL --args=ipv6.disable=1

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure IPv6 is disabled through kernel boot parameter

Description

Rationale

Remediation Templates

An Ansible Snippet

OS Build Blueprint

A Shell Script