{"description": "To prevent the IPv6 kernel module (<tt>ipv6</tt>) from binding to the\nIPv6 networking stack, add the following line to\n<tt>/etc/modprobe.d/disabled.conf</tt> (or another file in\n<tt>/etc/modprobe.d</tt>):\n<pre>options ipv6 disable=1</pre>\nThis permits the IPv6 module to be loaded (and thus satisfy other modules that\ndepend on it), while disabling support for the IPv6 protocol.", "rationale": "Any unnecessary network stacks - including IPv6 - should be disabled, to reduce\nthe vulnerability to exploitation.", "severity": "medium", "references": {"cis-csc": ["11", "14", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS05.02", "DSS05.05", "DSS06.06"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.9.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.IP-1", "PR.PT-3"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the ipv6 kernel module is not disabled", "ocil": "If the system uses IPv6, this is not applicable.\n<br /><br />\nIf the system is configured to disable the\n<tt>ipv6</tt> kernel module, it will contain a line\nof the form:\n<pre>options ipv6 disable=1</pre>\nSuch lines may be inside any file in <tt>/etc/modprobe.d</tt> or the\ndeprecated<tt>/etc/modprobe.conf</tt>.  This permits insertion of the IPv6\nkernel module (which other parts of the system expect to be present), but\notherwise keeps it inactive.  Run the following command to search for such\nlines in all files in <tt>/etc/modprobe.d</tt> and the deprecated\n<tt>/etc/modprobe.conf</tt>:\n<pre xml:space=\"preserve\">$ grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable IPv6 Networking Support Automatic Loading", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/rule.yml", "template": null}