An error occurred:

Check: GEN007700

SUSE Linux Enterprise Server v11 for System z STIG: GEN007700 (in versions v1 r12 through v1 r9)

Title

The IPv6 protocol handler must not be bound to the network stack unless needed. (Cat II impact)

Discussion

IPv6 is the next version of the Internet protocol. Binding this protocol to the network stack increases the attack surface of the host.

Check Content

Use the ifconfig command to determine if any network interface has an IPv6 address bound to it: # /sbin/ifconfig | grep inet6 If any lines are returned that indicate IPv6 is active and the system does not need IPv6, this is a finding.

Fix Text

Remove the capability to use IPv6 protocol handler. Procedure: Update the variable “IPV6_DISABLE” using YaST in the /etc/sysconfig editor under the ‘System’ > ‘Kernel’ tree. Setting this variable to “YES” deactivates IPv6 at boot time. Reboot the system to implement the change. NOTE: This change may affect other software product(s) that have their own IPv6 configuration settings.

Additional Identifiers

Rule ID: SV-45980r1_rule

Vulnerability ID: V-22541

Group Title: GEN007700

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001551

The organization defines approved authorizations for controlling the flow of information between interconnected systems.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-4

Information Flow Enforcement