Disable IPv6 | sysctl-18 net.ipv6.conf.all.disable_ipv6: 1

[joubbi]

Describe the bug
I noticed that this is set in /os_hardening/defaults/main.yml:

# Disable IPv6 | sysctl-18
 net.ipv6.conf.all.disable_ipv6: 1

Regardless of what your opinion is about disabling IPv6 as a security measure, the above way of doing it gives unexpected results.
On a default EL7 or EL8 IPv6 would still be enabled.

Trying to completely disable IPv6 by default would be hard and would break stuff in many settings.
There are many steps with many gotchas in the official RedHat documentation here:
https://access.redhat.com/solutions/8709

For all Red Hat Enterprise Linux revisions that run NetworkManager. When using sysctls to disable IPv6, NetworkManager may override these setting by default leaving IPv6 enabled on some interfaces. To avoid this IPv6 must be disabled on each interface using the nmcli parameter and option ipv6.method ignore or disable in addition to IPv6 being disabled via the sysctls.

In RHEL8 the "ignore" parameter was replaced with "disabled".

Examples:

Use "nmcli conn show" to get the NIC name.

For RHEL8:
# nmcli connection modify <NIC name> ipv6.method "disabled"

For RHEL7:
# nmcli connection modify <NIC name> ipv6.method "ignore"

Expected behavior
IPv6 disabled.

Actual behavior
IPv6 enabled.
This actual behavior is probably what we want anyway ;-)

Role Version

7.2.0

Additional context
CIS Level 2 has this (Which is not complete either in my opinion compared with the RedHat document).
Also note that it is level 2, which is interrupting and should not be done blindly without understanding the consequences, so I don't think we should have it as a default either.

3.6 Disable IPv6 (Not Scored)

Profile Applicability:
 Level 2 - Server
 Level 2 - Workstation

Description:

Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual
stack configurations implemented.
Rationale:
If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce
the attack surface of the system.

Audit:

Run the following command to verify
# grep -E "^\s*kernelopts=(\S+\s+)*ipv6\.disable=1\b\s*(\S+\s*)*$" /boot/grub2/grubenv
Output should include
ipv6.disable=1

Remediation:

Edit /etc/default/grub and add ipv6.disable=1 to the GRUB_CMDLINE_LINUX parameters:
GRUB_CMDLINE_LINUX="ipv6.disable=1"
Run the following command to update the grub2 configuration:
# grub2-mkconfig –o /boot/grub2/grub.cfg

[joubbi]

@schurzi or someone else, could you please look at this one? Why not just remove this sysctl completely as in #416 ?

I am afraid that I will get strange issues that are hard to troubleshoot due to this.
As it is now, IPv6 is enabled on a default RHEL.
But if someone decides to disable NetworkManager, then IPv6 would probably stop working, which is not something you would expect.
Since running the servers without IPv6 is untested in my environment, I don't know if that would break something.

Having the sysctl there makes things just unpredictable and confusing without adding any security.

Also, remember that IPv6 is here soon!

[danielkubat]

@joubbi I agree with you.

disabling via kernel parameter may give users an illusion, that it is actually disabling IPv6, but unfortunately, it is not true as you correctly explained. considering, how complex is to fully disable IPv6 in current EL and how many things may break, I would vote as well for removal of the net.ipv6.conf.all.disable_ipv6: 1 and update documentation with notice, that IPv6 remains enabled.

[rndmh3ro]

After reading the RHEL-docs, I agree with you.

However if we remove this, we should remove everything related to the disablement of ipv6. This includes the tests in the baseline: https://github.com/dev-sec/linux-baseline and code in the ssh-role.

[joubbi]

I don't think you should remove anything else but the sysctl net.ipv6.conf.all.disable_ipv6 and it's corresponding test in the baseline.
For sshd not to listen on IPv6 is ok, and I would say even recommended if you are not actively connecting to the IPv6 address. I don't think that anyone with a dual stack system would SSH into the IPv6 address since the IPv4 address is much shorter.

For those that have fully migrated to IPv6 the situation is different. They would probably understand that they have to enable IPv6 in sshd and other daemons that they use.

[schurzi]

I think everything discussed here is now covered, so I'm closing this. If you see any further issues or questions please re-open or open a new issue. :)