Check: RHEL-06-000523
Red Hat Enterprise Linux 6 STIG:
RHEL-06-000523
(in versions v2 r2 through v1 r14)
Title
The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets. (Cat II impact)
Discussion
In "ip6tables" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to "DROP" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.
Check Content
If IPv6 is disabled, this is not applicable. Inspect the file "/etc/sysconfig/ip6tables" to determine the default policy for the INPUT chain. It should be set to DROP: # grep ":INPUT" /etc/sysconfig/ip6tables If the default policy for the INPUT chain is not set to DROP, this is a finding.
Fix Text
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/ip6tables": :INPUT DROP [0:0] Restart the IPv6 firewall: # service ip6tables restart
Additional Identifiers
Rule ID: SV-218102r603264_rule
Vulnerability ID: V-218102
Group Title: SRG-OS-000480
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000066 |
The organization enforces requirements for remote connections to the information system. |
| CCI-000366 |
The organization implements the security configuration settings. |
| CCI-002406 |
The organization implements organization-defined host-based boundary protection mechanisms at organization-defined information system components. |