Navigate

Check: GEN007780

SUSE Linux Enterprise Server v11 for System z STIG: GEN007780 (in versions v1 r12 through v1 r9)

Title

The system must not have 6to4 enabled. (Cat II impact)

Discussion

6to4 is an IPv6 transition mechanism involving tunneling IPv6 packets encapsulated in IPv4 packets on an ad-hoc basis. This is not a preferred transition strategy and increases the attack surface of the system.

Check Content

Check the system for any active 6to4 tunnels without specific remote addresses. # ip tun list | grep "remote any" | grep "ipv6/ip" If any results are returned the "tunnel" is the first field. If any results are returned, this is a finding.

Fix Text

Disable the active 6to4 tunnel. # ip link set <tunnel> down Add this command to a startup script, or remove the configuration creating the tunnel.

Additional Identifiers

Rule ID: SV-45982r1_rule

Vulnerability ID: V-22545

Group Title: GEN007780

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-001551	The organization defines approved authorizations for controlling the flow of information between interconnected systems.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-4	Information Flow Enforcement