{"description": "To disable support for (<tt>ipv6</tt>) addressing on interfaces by default add the following line to\n<tt>/etc/sysctl.d/ipv6.conf</tt> (or another file in <tt>/etc/sysctl.d</tt>):\n<pre>net.ipv6.conf.default.disable_ipv6 = 1</pre>\nThis disables IPv6 on network interfaces by default as other services and system\nfunctionality require the IPv6 stack loaded to work.", "rationale": "Any unnecessary network stacks - including IPv6 - should be disabled, to reduce\nthe vulnerability to exploitation.", "severity": "medium", "references": {"cis-csc": ["11", "14", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS05.02", "DSS05.05", "DSS06.06"], "cui": ["3.1.20"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.9.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.IP-1", "PR.PT-3"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the ipv6 support is disabled by default on network interfaces", "ocil": "If the system uses IPv6, this is not applicable.\n<br /><br />\nIf the system is configured to prevent the usage of the <tt>ipv6</tt> on\nnetwork interfaces, it will contain a line of the form:\n<pre>net.ipv6.conf.default.disable_ipv6 = 1</pre>\nSuch lines may be inside any file in the <tt>/etc/sysctl.d</tt> directory.\nThis permits insertion of the IPv6 kernel module (which other parts of the\nsystem expect to be present), but otherwise keeps network interfaces\nfrom using IPv6. Run the following command to search for such lines in all\nfiles in <tt>/etc/sysctl.d</tt>:\n<pre>$ grep -r ipv6 /etc/sysctl.d</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_net_ipv6_conf_default_disable_ipv6.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_net_ipv6_conf_default_disable_ipv6.sh"}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable IPv6 Addressing on IPv6 Interfaces by Default", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-ipv6/disabling_ipv6/sysctl_net_ipv6_conf_default_disable_ipv6/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "net.ipv6.conf.default.disable_ipv6", "sysctlval": "1", "datatype": "int"}, "backends": {}}}