Title

The system must not have IP forwarding for IPv6 enabled, unless the system is an IPv6 router. (Cat II impact)

Discussion

If the system is configured for IP forwarding and is not a designated router, it could be used to bypass network security by providing a path for communication not filtered by network devices.

Check Content

Check if the system is configured for IPv6 forwarding. # grep [01] /proc/sys/net/ipv6/conf/*/forwarding|egrep "default|all" If the /proc/sys/net/ipv6/conf/*/forwarding entries do not exist because of compliance with GEN007720, this is not a finding. If all of the resulting lines do not end with 0, this is a finding.

Fix Text

Disable IPv6 forwarding. Edit /etc/sysctl.conf and add a setting for "net.ipv6.conf.all.forwarding=0" and "net.ipv6.conf.default.forwarding=0". Reload the sysctls. Procedure: # sysctl -p

Additional Identifiers

Rule ID: SV-46115r2_rule

Vulnerability ID: V-22491

Group Title: GEN005610

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.