← Back to SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

V-22541

CAT II (Medium)

The IPv6 protocol handler must not be bound to the network stack unless needed.

Rule ID

SV-45980r1_rule

STIG

SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

Version

V1R12

CCIs

CCI-001551

Discussion

IPv6 is the next version of the Internet protocol. Binding this protocol to the network stack increases the attack surface of the host.

Check Content

Use the ifconfig command to determine if any network interface has an IPv6 address bound to it:
# /sbin/ifconfig | grep inet6

If any lines are returned that indicate IPv6 is active and the system does not need IPv6, this is a finding.

Fix Text

Remove the capability to use IPv6 protocol handler.

Procedure:
Update the variable “IPV6_DISABLE” using YaST in the /etc/sysconfig editor under the ‘System’ > ‘Kernel’ tree.  Setting this variable to “YES” deactivates IPv6 at boot time.  Reboot the system to implement the change.

NOTE: This change may affect other software product(s) that have their own IPv6 configuration settings.