Details
Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented.
Rationale:
If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system.
Solution
Use one of the two following methods to disable IPv6 on the system:
To disable IPv6 through the GRUB2 config:
Edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters:
GRUB_CMDLINE_LINUX=’ipv6.disable=1′
Run the following command to update the grub2 configuration:
# grub2-mkconfig -o /boot/grub2/grub.cfg
OR
To disable IPv6 through sysctl settings:
Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
Run the following commands to set the active kernel parameters:
# sysctl -w net.ipv6.conf.all.disable_ipv6=1
# sysctl -w net.ipv6.conf.default.disable_ipv6=1
# sysctl -w net.ipv6.route.flush=1
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.