OL 9 must not enable IPv6 packet forwarding unless the system is a router.

STIG ID: OL09-00-006043  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-271880

Vulnerability Discussion

IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.

Check

Note: If IPv6 is disabled on the system, this requirement is Not Applicable.

Verify that OL 9 is not performing IPv6 packet forwarding, unless the system is a router.

Check that IPv6 forwarding is disabled using the following commands:

$ sysctl net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 0

If the IPv6 forwarding value is not "0" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix

Configure OL 9 to not allow IPv6 packet forwarding unless the system is a router.

Add or edit the following line in a single system configuration file in the "/etc/sysctl.d/" directory:

net.ipv6.conf.all.forwarding = 0

Load settings from all system configuration files with the following command:

$ sudo sysctl --system
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.