Disable IPv6 Addressing on IPv6 Interfaces by Default
An XCCDF Rule
Description
To disable support for (ipv6
) addressing on interfaces by default add the following line to
/etc/sysctl.d/ipv6.conf
(or another file in /etc/sysctl.d
):
net.ipv6.conf.default.disable_ipv6 = 1This disables IPv6 on network interfaces by default as other services and system functionality require the IPv6 stack loaded to work.
Rationale
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.
- ID
- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: List /etc/sysctl.d/*.conf files
find:
paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of net.ipv6.conf.default.disable_ipv6 from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do