Navigate

Check: GEN007700

Solaris 9 X86 STIG: GEN007700 (in version v1 r9)

Title

The IPv6 protocol handler must not be bound to the network stack unless needed. (Cat II impact)

Discussion

IPv6 is the next version of the Internet protocol. Binding this protocol to the network stack increases the attack surface of the host.

Check Content

Ask the SA if the system is on an IPv6 network. If so, this is not applicable. Verify there are no IPv6 addresses bound to network interfaces. # ifconfig -a6 If there are any IPv6 addresses bound to network interfaces, this is a finding. Verify the IPv6 Neighbor Discovery Protocol (NDP) daemon is not running. # ps -ef | grep in.ndp If the NDP daemon is running, this is a finding.

Fix Text

Disable the IPv6 Neighbor Discovery Protocol daemon. # svcadm disable ndp Remove all IPv6 addresses from network interfaces. Perform the following for every interface with an IPv6 address bound to it. # ifconfig < interface > inet6 down unplumb Remove all IPv6 network interface configuration. # rm /etc/hostname6.*

Additional Identifiers

Rule ID: SV-42321r1_rule

Vulnerability ID: V-22541

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-001551	The organization defines approved authorizations for controlling the flow of information between interconnected systems.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-4	Information Flow Enforcement