Check: GEN007700
AIX 5.3 STIG:
GEN007700
(in version v1 r3)
Title
The IPv6 protocol handler must not be bound to the network stack unless needed. (Cat II impact)
Discussion
IPv6 is the next version of the Internet protocol. Binding this protocol to the network stack increases the attack surface of the host.
Check Content
AIX comes with IPv6 protocol handler installed and active. The only configured IPv6 address is the loopback localhost adapter. Check if any other interfaces have IPv6 addresses active. # ifconfig -a If any IPv6 addresses are configured on any network interfaces other than loopback and IPv6 is not needed, this is a finding.
Fix Text
Unbind the IPv6 protocol handler from the network stack. Edit /etc/rc.tcpip and comment out autoconf6 to prevent IPv6 from auto starting. Unconfigure IPv6 addresses from interfaces not used with smit. #smit chinet6
Additional Identifiers
Rule ID: SV-38918r1_rule
Vulnerability ID: V-22541
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001551 |
The organization defines approved authorizations for controlling the flow of information between interconnected systems. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |