Title

RHEL 9 must not enable IPv6 packet forwarding unless the system is a router. (Cat II impact)

Discussion

IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.

Check Content

Verify RHEL 9 is not performing IPv6 packet forwarding, unless the system is a router. Note: If IPv6 is disabled on the system, this requirement is Not Applicable. Check that IPv6 forwarding is disabled using the following commands: $ sudo sysctl net.ipv6.conf.all.forwarding net.ipv6.conf.all.forwarding = 0 If the IPv6 forwarding value is not "0" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv6.conf.all.forwarding | tail -1 net.ipv6.conf.all.forwarding = 0 If "net.ipv6.conf.all.forwarding" is not set to "0" or is missing, this is a finding.

Fix Text

Configure RHEL 9 to not allow IPv6 packet forwarding, unless the system is a router. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv6.conf.all.forwarding = 0 Load settings from all system configuration files with the following command: $ sudo sysctl --system

Additional Identifiers

Rule ID: SV-257974r943005_rule

Vulnerability ID: V-257974

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.