Just for those who want IPv6 off and to stay off here are the configurations I
use to disable IPv6 in a nice bash script:
#!/bin/sh
# Disable IPv6
echo -e "options ipv6 disable=1" >> /etc/modprobe.d/usgcb-blacklist.conf
echo -e "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysctl.conf
`grep -q NETWORKING_IPV6 /etc/sysconfig/network`
if [ $? -ne 0 ]; then
echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network
else
sed -i "/NETWORKING_IPV6/s/yes/no/" /etc/sysconfig/network
fi
`grep -q IPV6INIT /etc/sysconfig/network`
if [ $? -ne 0 ]; then
echo "IPV6INIT=no" >> /etc/sysconfig/network
else
sed -i "/IPV6INIT/s/yes/no/" /etc/sysconfig/network
fi
`grep -q NOZEROCONF /etc/sysconfig/network`
if [ $? -ne 0 ]; then
echo "NOZEROCONF=yes" >> /etc/sysconfig/network
else
sed -i "/NOZEROCONF/s/no/yes/" /etc/sysconfig/network
fi
grep 'IPV6_AUTOTUNNEL' /etc/sysconfig/network > /dev/null
if [ $? -eq 0 ]; then
grep 'IPV6_AUTOTUNNEL=yes' /etc/sysconfig/network > /dev/null
if [ $? -eq 0 ]; then
sed -i -e 's/IPV6_AUTOTUNNEL=yes/IPV6_AUTOTUNNEL=no/g'
/etc/sysconfig/network
fi
else
echo "IPV6_AUTOTUNNEL=no" >> /etc/sysconfig/network
fi
for TUNDEV in `ip tun list | awk -F ':' '/remote any/ && /ipv6\/ip/{print
$1}'`;do
ip link set $TUNDEV down &>/dev/null
ip tun del name $TUNDEV &>/dev/null
done
chkconfig --list ip6tables | grep ':on' > /dev/null
if [ $? -eq 0 ]; then
service ip6tables stop &>/dev/null
chkconfig ip6tables off &>/dev/null
fi
rmmod ipv6 &>/dev/null
exit 0
----- Original Message -----
From: "Randall D. CTR Beavers (US)" <[email protected]>
To: "SCAP Security Guide" <[email protected]>
Sent: Tuesday, March 25, 2014 5:43:45 PM
Subject: RE: IPV6 and security? (UNCLASSIFIED)
Classification: UNCLASSIFIED
Caveats: NONE
If I get a penny for my thoughts, then I put in my two cents...where
does that other penny go?
On Tue, Mar 25, 2014 at 3:22 PM, Steve Grubb <[email protected]> wrote:
The view taking in hardening systems is if you don't need
something, turn it
off so that you don't have inadvertent security
problems. Paraphrasing the
RHEL5 SNAC guide, it says if you need IPv6, here are the
hardening steps. If
you do not, then turn it off. That is the prudent thing to do in
all cases.
An additional thought that we've done on past programs is:
Maybe not only "turn off" IPv6, but I've gone through the effort of
following the STIGs to set all of the security configurations, AND turn
it off. Why you ask? Because if IPv6 is "turned on" by malicious or
inadvertent activity later, then it is already STIG-compliant, thereby
provide some level of security. If one simply turns it off, it still
"may" leave the system somewhat vulnerable IMHO.
v/r,
Randy Beavers, GSLC, CISSP
System Security Engineer
Multi-Mission Launcher
256-842-5426 office
256-289-6054 cell
[email protected]
[email protected]
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of
Andrew Gilmore
Sent: Tuesday, March 25, 2014 4:33 PM
To: SCAP Security Guide
Subject: Re: IPV6 and security?
Thanks for the info!
On Tue, Mar 25, 2014 at 3:22 PM, Steve Grubb <[email protected]> wrote:
The view taking in hardening systems is if you don't need
something, turn it
off so that you don't have inadvertent security problems.
Paraphrasing the
RHEL5 SNAC guide, it says if you need IPv6, here are the
hardening steps. If
you do not, then turn it off. That is the prudent thing to do in
all cases.
Definitely, and for the last 12 years, all I've heard is we don't need
IPV6, turn it off.
Put another way, its not that IPv6 is insecure...its very well
tested. Its
that if you don't need it or use it and a security bulletin
comes along for
it, its easy to dismiss because you didn't intend to use it.
This was part of my real question, I guess. Much of what I had heard
about IPV6 focused on the relative maturity of the stack, compared to
IPV4, and suggested that some of the same types of critical
vulnerabilities that we saw in the 90s may be lurking in this stack.
It's good to hear your confidence in the tech.
I'd put this back on the OP. Who said it _is_ insecure?
I implied that there were concerns, but that was an uninformed position.
This may have been fostered in other benchmarks I've been involved in,
but I'd have to go re-read them to make sure I wasn't reading it in.
Thanks!
Andrew
Classification: UNCLASSIFIED
Caveats: NONE
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
--
Frank Caviggia
Consultant, Red Hat
[email protected]
(M) (571) 295-4560
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
