{"description": "To disable support for (<tt>ipv6</tt>) addressing on all interface add the following line to\n<tt>/etc/sysctl.d/ipv6.conf</tt> (or another file in <tt>/etc/sysctl.d</tt>):\n<pre>net.ipv6.conf.all.disable_ipv6 = 1</pre>\nThis disables IPv6 on all network interfaces as other services and system\nfunctionality require the IPv6 stack loaded to work.", "rationale": "Any unnecessary network stacks - including IPv6 - should be disabled, to reduce\nthe vulnerability to exploitation.", "severity": "medium", "references": {"cis-csc": ["11", "14", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS05.02", "DSS05.05", "DSS06.06"], "cui": ["3.1.20"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.9.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.IP-1", "PR.PT-3"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the ipv6 support is disabled on all network interfaces", "ocil": "If the system uses IPv6, this is not applicable.\n<br /><br />\nIf the system is configured to prevent the usage of the <tt>ipv6</tt> on\nnetwork interfaces, it will contain a line of the form:\n<pre>net.ipv6.conf.all.disable_ipv6 = 1</pre>\nSuch lines may be inside any file in the <tt>/etc/sysctl.d</tt> directory.\nThis permits insertion of the IPv6 kernel module (which other parts of the\nsystem expect to be present), but otherwise keeps all network interfaces\nfrom using IPv6. Run the following command to search for such lines in all\nfiles in <tt>/etc/sysctl.d</tt>:\n<pre>$ grep -r ipv6 /etc/sysctl.d</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_net_ipv6_conf_all_disable_ipv6.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_net_ipv6_conf_all_disable_ipv6.sh"}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable IPv6 Addressing on All IPv6 Interfaces", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_all_disable_ipv6/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "net.ipv6.conf.all.disable_ipv6", "sysctlval": "1", "datatype": "int"}, "backends": {}}}