Disable IPv6 (stig V-38546)

[#119692507](https://www.pivotaltracker.com/story/show/119692507) Signed-off-by: Cornelius Schumacher <cschum@suse.com>
cloudfoundry · Jun 11, 2016 · 44607ae · 44607ae
1 parent 1cc97db
commit 44607ae
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/bosh-stemcell/spec/support/os_image_shared_examples.rb b/bosh-stemcell/spec/support/os_image_shared_examples.rb
@@ -414,6 +414,13 @@
     end
   end
 
+  describe 'IPv6 should be disabled (stig: V-38546)' do
+    context file('/etc/sysctl.d/60-bosh-sysctl.conf') do
+      its (:content) { should match /^net\.ipv6\.conf\.all\.disable_ipv6=1$/ }
+      its (:content) { should match /^net\.ipv6\.conf\.default\.disable_ipv6=1$/ }
+    end
+  end
+
   describe 'auditd configuration' do
     describe file('/var/log/audit') do
       it { should be_directory }

diff --git a/stemcell_builder/stages/bosh_sysctl/assets/60-bosh-sysctl.conf b/stemcell_builder/stages/bosh_sysctl/assets/60-bosh-sysctl.conf
@@ -17,6 +17,8 @@ net.ipv4.tcp_syncookies=1
 net.ipv4.icmp_echo_ignore_broadcasts=1
 net.ipv4.icmp_ignore_bogus_error_responses=1
 
+net.ipv6.conf.all.disable_ipv6=1
+net.ipv6.conf.default.disable_ipv6=1
 net.ipv6.conf.default.accept_redirects=0
 
 kernel.exec-shield=1