Details

Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented.

Rationale:

If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system.

Solution

Edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters:

GRUB_CMDLINE_LINUX=’ipv6.disable=1′

Run the following command to update the grub2 configuration:

# update-grub

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2971

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.

References

• 800-53|SC-7(12)
• CSCv6|3
• CSCv6|9.1
• CSCv6|11
• CSCv7|9.4

Source

• Tenable.com/audits