search

CISOfy / lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
https://cisofy.com/lynis/
GNU General Public License v3.0
13.5k stars 1.49k forks source link

Lynis Ignores IPV6 Kernel Blacklisting #1146

Open yupthatguy opened 3 years ago

yupthatguy commented 3 years ago

Describe the bug

Lynis ignores kernel blacklisting of IPv6

I have disabled (blacklisted) the IPV6 kernel module in multiple ways, rebooting multiple times:

https://wiki.debian.org/KernelModuleBlacklisting

But regardless of whatever method that I use, lynis still shows:

[+] Networking

- Checking IPv6 configuration [ ENABLED ]
Configuration method [ AUTO ]
IPv6 only [ NO ]

Version

Expected behavior Lynis at some point should confirm that IPV6 is disabled at the kernel level

Output If applicable, add output that you get from the tool or the related section of lynis.log

The output of # sysctl -a | grep "^net.ipv6" is :

net.ipv6.anycast_src_echo_reply = 0
net.ipv6.auto_flowlabels = 1
net.ipv6.bindv6only = 0
net.ipv6.conf.all.accept_dad = 0
net.ipv6.conf.all.accept_ra = 1
net.ipv6.conf.all.accept_ra_defrtr = 1
net.ipv6.conf.all.accept_ra_from_local = 0
net.ipv6.conf.all.accept_ra_min_hop_limit = 1
net.ipv6.conf.all.accept_ra_mtu = 1
net.ipv6.conf.all.accept_ra_pinfo = 1
net.ipv6.conf.all.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.all.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.all.accept_ra_rtr_pref = 1
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.all.addr_gen_mode = 0
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.dad_transmits = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.all.disable_policy = 0
net.ipv6.conf.all.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.all.drop_unsolicited_na = 0
net.ipv6.conf.all.enhanced_dad = 1
net.ipv6.conf.all.force_mld_version = 0
net.ipv6.conf.all.force_tllao = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.hop_limit = 64
net.ipv6.conf.all.ignore_routes_with_linkdown = 0
net.ipv6.conf.all.keep_addr_on_down = 0
net.ipv6.conf.all.max_addresses = 16
net.ipv6.conf.all.max_desync_factor = 600
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.all.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.all.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.all.mtu = 1280
net.ipv6.conf.all.ndisc_notify = 0
net.ipv6.conf.all.ndisc_tclass = 0
net.ipv6.conf.all.optimistic_dad = 0
net.ipv6.conf.all.proxy_ndp = 0
net.ipv6.conf.all.regen_max_retry = 3
net.ipv6.conf.all.router_probe_interval = 60
net.ipv6.conf.all.router_solicitation_delay = 1
net.ipv6.conf.all.router_solicitation_interval = 4
net.ipv6.conf.all.router_solicitation_max_interval = 3600
net.ipv6.conf.all.router_solicitations = -1
net.ipv6.conf.all.seg6_enabled = 0
net.ipv6.conf.all.seg6_require_hmac = 0
net.ipv6.conf.all.suppress_frag_ndisc = 1
net.ipv6.conf.all.temp_prefered_lft = 86400
net.ipv6.conf.all.temp_valid_lft = 604800
net.ipv6.conf.all.use_oif_addrs_only = 0
net.ipv6.conf.all.use_optimistic = 0
net.ipv6.conf.all.use_tempaddr = 0
net.ipv6.conf.default.accept_dad = 1
net.ipv6.conf.default.accept_ra = 1
net.ipv6.conf.default.accept_ra_defrtr = 1
net.ipv6.conf.default.accept_ra_from_local = 0
net.ipv6.conf.default.accept_ra_min_hop_limit = 1
net.ipv6.conf.default.accept_ra_mtu = 1
net.ipv6.conf.default.accept_ra_pinfo = 1
net.ipv6.conf.default.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.default.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 1
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.default.addr_gen_mode = 0
net.ipv6.conf.default.autoconf = 1
net.ipv6.conf.default.dad_transmits = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.default.disable_policy = 0
net.ipv6.conf.default.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.default.drop_unsolicited_na = 0
net.ipv6.conf.default.enhanced_dad = 1
net.ipv6.conf.default.force_mld_version = 0
net.ipv6.conf.default.force_tllao = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.hop_limit = 64
net.ipv6.conf.default.ignore_routes_with_linkdown = 0
net.ipv6.conf.default.keep_addr_on_down = 0
net.ipv6.conf.default.max_addresses = 16
net.ipv6.conf.default.max_desync_factor = 600
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.default.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.default.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.default.mtu = 1280
net.ipv6.conf.default.ndisc_notify = 0
net.ipv6.conf.default.ndisc_tclass = 0
net.ipv6.conf.default.optimistic_dad = 0
net.ipv6.conf.default.proxy_ndp = 0
net.ipv6.conf.default.regen_max_retry = 3
net.ipv6.conf.default.router_probe_interval = 60
net.ipv6.conf.default.router_solicitation_delay = 1
net.ipv6.conf.default.router_solicitation_interval = 4
net.ipv6.conf.default.router_solicitation_max_interval = 3600
net.ipv6.conf.default.router_solicitations = -1
net.ipv6.conf.default.seg6_enabled = 0
net.ipv6.conf.default.seg6_require_hmac = 0
net.ipv6.conf.default.suppress_frag_ndisc = 1
net.ipv6.conf.default.temp_prefered_lft = 86400
net.ipv6.conf.default.temp_valid_lft = 604800
net.ipv6.conf.default.use_oif_addrs_only = 0
net.ipv6.conf.default.use_optimistic = 0
net.ipv6.conf.default.use_tempaddr = 0
net.ipv6.conf.enp0s17.accept_dad = 1
net.ipv6.conf.enp0s17.accept_ra = 1
net.ipv6.conf.enp0s17.accept_ra_defrtr = 1
net.ipv6.conf.enp0s17.accept_ra_from_local = 0
net.ipv6.conf.enp0s17.accept_ra_min_hop_limit = 1
net.ipv6.conf.enp0s17.accept_ra_mtu = 1
net.ipv6.conf.enp0s17.accept_ra_pinfo = 1
net.ipv6.conf.enp0s17.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.enp0s17.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.enp0s17.accept_ra_rtr_pref = 1
net.ipv6.conf.enp0s17.accept_redirects = 1
net.ipv6.conf.enp0s17.accept_source_route = 0
net.ipv6.conf.enp0s17.addr_gen_mode = 0
net.ipv6.conf.enp0s17.autoconf = 1
net.ipv6.conf.enp0s17.dad_transmits = 1
net.ipv6.conf.enp0s17.disable_ipv6 = 1
net.ipv6.conf.enp0s17.disable_policy = 0
net.ipv6.conf.enp0s17.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.enp0s17.drop_unsolicited_na = 0
net.ipv6.conf.enp0s17.enhanced_dad = 1
net.ipv6.conf.enp0s17.force_mld_version = 0
net.ipv6.conf.enp0s17.force_tllao = 0
net.ipv6.conf.enp0s17.forwarding = 0
net.ipv6.conf.enp0s17.hop_limit = 64
net.ipv6.conf.enp0s17.ignore_routes_with_linkdown = 0
net.ipv6.conf.enp0s17.keep_addr_on_down = 0
net.ipv6.conf.enp0s17.max_addresses = 16
net.ipv6.conf.enp0s17.max_desync_factor = 600
net.ipv6.conf.enp0s17.mc_forwarding = 0
net.ipv6.conf.enp0s17.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.enp0s17.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.enp0s17.mtu = 1500
net.ipv6.conf.enp0s17.ndisc_notify = 0
net.ipv6.conf.enp0s17.ndisc_tclass = 0
net.ipv6.conf.enp0s17.optimistic_dad = 0
net.ipv6.conf.enp0s17.proxy_ndp = 0
net.ipv6.conf.enp0s17.regen_max_retry = 3
net.ipv6.conf.enp0s17.router_probe_interval = 60
net.ipv6.conf.enp0s17.router_solicitation_delay = 1
net.ipv6.conf.enp0s17.router_solicitation_interval = 4
net.ipv6.conf.enp0s17.router_solicitation_max_interval = 3600
net.ipv6.conf.enp0s17.router_solicitations = -1
net.ipv6.conf.enp0s17.seg6_enabled = 0
net.ipv6.conf.enp0s17.seg6_require_hmac = 0
net.ipv6.conf.enp0s17.suppress_frag_ndisc = 1
net.ipv6.conf.enp0s17.temp_prefered_lft = 86400
net.ipv6.conf.enp0s17.temp_valid_lft = 604800
net.ipv6.conf.enp0s17.use_oif_addrs_only = 0
net.ipv6.conf.enp0s17.use_optimistic = 0
net.ipv6.conf.enp0s17.use_tempaddr = 0
net.ipv6.conf.enp0s8.accept_dad = 1
net.ipv6.conf.enp0s8.accept_ra = 1
net.ipv6.conf.enp0s8.accept_ra_defrtr = 1
net.ipv6.conf.enp0s8.accept_ra_from_local = 0
net.ipv6.conf.enp0s8.accept_ra_min_hop_limit = 1
net.ipv6.conf.enp0s8.accept_ra_mtu = 1
net.ipv6.conf.enp0s8.accept_ra_pinfo = 1
net.ipv6.conf.enp0s8.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.enp0s8.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.enp0s8.accept_ra_rtr_pref = 1
net.ipv6.conf.enp0s8.accept_redirects = 1
net.ipv6.conf.enp0s8.accept_source_route = 0
net.ipv6.conf.enp0s8.addr_gen_mode = 0
net.ipv6.conf.enp0s8.autoconf = 1
net.ipv6.conf.enp0s8.dad_transmits = 1
net.ipv6.conf.enp0s8.disable_ipv6 = 1
net.ipv6.conf.enp0s8.disable_policy = 0
net.ipv6.conf.enp0s8.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.enp0s8.drop_unsolicited_na = 0
net.ipv6.conf.enp0s8.enhanced_dad = 1
net.ipv6.conf.enp0s8.force_mld_version = 0
net.ipv6.conf.enp0s8.force_tllao = 0
net.ipv6.conf.enp0s8.forwarding = 0
net.ipv6.conf.enp0s8.hop_limit = 64
net.ipv6.conf.enp0s8.ignore_routes_with_linkdown = 0
net.ipv6.conf.enp0s8.keep_addr_on_down = 0
net.ipv6.conf.enp0s8.max_addresses = 16
net.ipv6.conf.enp0s8.max_desync_factor = 600
net.ipv6.conf.enp0s8.mc_forwarding = 0
net.ipv6.conf.enp0s8.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.enp0s8.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.enp0s8.mtu = 1500
net.ipv6.conf.enp0s8.ndisc_notify = 0
net.ipv6.conf.enp0s8.ndisc_tclass = 0
net.ipv6.conf.enp0s8.optimistic_dad = 0
net.ipv6.conf.enp0s8.proxy_ndp = 0
net.ipv6.conf.enp0s8.regen_max_retry = 3
net.ipv6.conf.enp0s8.router_probe_interval = 60
net.ipv6.conf.enp0s8.router_solicitation_delay = 1
net.ipv6.conf.enp0s8.router_solicitation_interval = 4
net.ipv6.conf.enp0s8.router_solicitation_max_interval = 3600
net.ipv6.conf.enp0s8.router_solicitations = -1
net.ipv6.conf.enp0s8.seg6_enabled = 0
net.ipv6.conf.enp0s8.seg6_require_hmac = 0
net.ipv6.conf.enp0s8.suppress_frag_ndisc = 1
net.ipv6.conf.enp0s8.temp_prefered_lft = 86400
net.ipv6.conf.enp0s8.temp_valid_lft = 604800
net.ipv6.conf.enp0s8.use_oif_addrs_only = 0
net.ipv6.conf.enp0s8.use_optimistic = 0
net.ipv6.conf.enp0s8.use_tempaddr = 0
net.ipv6.conf.lo.accept_dad = -1
net.ipv6.conf.lo.accept_ra = 1
net.ipv6.conf.lo.accept_ra_defrtr = 1
net.ipv6.conf.lo.accept_ra_from_local = 0
net.ipv6.conf.lo.accept_ra_min_hop_limit = 1
net.ipv6.conf.lo.accept_ra_mtu = 1
net.ipv6.conf.lo.accept_ra_pinfo = 1
net.ipv6.conf.lo.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.lo.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.lo.accept_ra_rtr_pref = 1
net.ipv6.conf.lo.accept_redirects = 1
net.ipv6.conf.lo.accept_source_route = 0
net.ipv6.conf.lo.addr_gen_mode = 0
net.ipv6.conf.lo.autoconf = 1
net.ipv6.conf.lo.dad_transmits = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.lo.disable_policy = 0
net.ipv6.conf.lo.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.lo.drop_unsolicited_na = 0
net.ipv6.conf.lo.enhanced_dad = 1
net.ipv6.conf.lo.force_mld_version = 0
net.ipv6.conf.lo.force_tllao = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.hop_limit = 64
net.ipv6.conf.lo.ignore_routes_with_linkdown = 0
net.ipv6.conf.lo.keep_addr_on_down = 0
net.ipv6.conf.lo.max_addresses = 16
net.ipv6.conf.lo.max_desync_factor = 600
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.lo.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.lo.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.lo.mtu = 65536
net.ipv6.conf.lo.ndisc_notify = 0
net.ipv6.conf.lo.ndisc_tclass = 0
net.ipv6.conf.lo.optimistic_dad = 0
net.ipv6.conf.lo.proxy_ndp = 0
net.ipv6.conf.lo.regen_max_retry = 3
net.ipv6.conf.lo.router_probe_interval = 60
net.ipv6.conf.lo.router_solicitation_delay = 1
net.ipv6.conf.lo.router_solicitation_interval = 4
net.ipv6.conf.lo.router_solicitation_max_interval = 3600
net.ipv6.conf.lo.router_solicitations = -1
net.ipv6.conf.lo.seg6_enabled = 0
net.ipv6.conf.lo.seg6_require_hmac = 0
net.ipv6.conf.lo.suppress_frag_ndisc = 1
net.ipv6.conf.lo.temp_prefered_lft = 86400
net.ipv6.conf.lo.temp_valid_lft = 604800
net.ipv6.conf.lo.use_oif_addrs_only = 0
net.ipv6.conf.lo.use_optimistic = 0
net.ipv6.conf.lo.use_tempaddr = -1
net.ipv6.fib_multipath_hash_policy = 0
net.ipv6.flowlabel_consistency = 1
net.ipv6.flowlabel_reflect = 0
net.ipv6.flowlabel_state_ranges = 0
net.ipv6.fwmark_reflect = 0
net.ipv6.icmp.echo_ignore_all = 0
net.ipv6.icmp.ratelimit = 1000
net.ipv6.idgen_delay = 1
net.ipv6.idgen_retries = 3
net.ipv6.ip6frag_high_thresh = 4194304
net.ipv6.ip6frag_low_thresh = 3145728
net.ipv6.ip6frag_secret_interval = 0
net.ipv6.ip6frag_time = 60
net.ipv6.ip_nonlocal_bind = 0
net.ipv6.max_dst_opts_length = 2147483647
net.ipv6.max_dst_opts_number = 8
net.ipv6.max_hbh_length = 2147483647
net.ipv6.max_hbh_opts_number = 8
net.ipv6.mld_max_msf = 64
net.ipv6.mld_qrv = 2
net.ipv6.neigh.default.anycast_delay = 100
net.ipv6.neigh.default.app_solicit = 0
net.ipv6.neigh.default.base_reachable_time_ms = 30000
net.ipv6.neigh.default.delay_first_probe_time = 5
net.ipv6.neigh.default.gc_interval = 30
net.ipv6.neigh.default.gc_stale_time = 60
net.ipv6.neigh.default.gc_thresh1 = 128
net.ipv6.neigh.default.gc_thresh2 = 512
net.ipv6.neigh.default.gc_thresh3 = 1024
net.ipv6.neigh.default.locktime = 0
net.ipv6.neigh.default.mcast_resolicit = 0
net.ipv6.neigh.default.mcast_solicit = 3
net.ipv6.neigh.default.proxy_delay = 80
net.ipv6.neigh.default.proxy_qlen = 64
net.ipv6.neigh.default.retrans_time_ms = 1000
net.ipv6.neigh.default.ucast_solicit = 3
net.ipv6.neigh.default.unres_qlen = 101
net.ipv6.neigh.default.unres_qlen_bytes = 212992
net.ipv6.neigh.enp0s17.anycast_delay = 100
net.ipv6.neigh.enp0s17.app_solicit = 0
net.ipv6.neigh.enp0s17.base_reachable_time_ms = 30000
net.ipv6.neigh.enp0s17.delay_first_probe_time = 5
net.ipv6.neigh.enp0s17.gc_stale_time = 60
net.ipv6.neigh.enp0s17.locktime = 0
net.ipv6.neigh.enp0s17.mcast_resolicit = 0
net.ipv6.neigh.enp0s17.mcast_solicit = 3
net.ipv6.neigh.enp0s17.proxy_delay = 80
net.ipv6.neigh.enp0s17.proxy_qlen = 64
net.ipv6.neigh.enp0s17.retrans_time_ms = 1000
net.ipv6.neigh.enp0s17.ucast_solicit = 3
net.ipv6.neigh.enp0s17.unres_qlen = 101
net.ipv6.neigh.enp0s17.unres_qlen_bytes = 212992
net.ipv6.neigh.enp0s8.anycast_delay = 100
net.ipv6.neigh.enp0s8.app_solicit = 0
net.ipv6.neigh.enp0s8.base_reachable_time_ms = 30000
net.ipv6.neigh.enp0s8.delay_first_probe_time = 5
net.ipv6.neigh.enp0s8.gc_stale_time = 60
net.ipv6.neigh.enp0s8.locktime = 0
net.ipv6.neigh.enp0s8.mcast_resolicit = 0
net.ipv6.neigh.enp0s8.mcast_solicit = 3
net.ipv6.neigh.enp0s8.proxy_delay = 80
net.ipv6.neigh.enp0s8.proxy_qlen = 64
net.ipv6.neigh.enp0s8.retrans_time_ms = 1000
net.ipv6.neigh.enp0s8.ucast_solicit = 3
net.ipv6.neigh.enp0s8.unres_qlen = 101
net.ipv6.neigh.enp0s8.unres_qlen_bytes = 212992
net.ipv6.neigh.lo.anycast_delay = 100
net.ipv6.neigh.lo.app_solicit = 0
net.ipv6.neigh.lo.base_reachable_time_ms = 30000
net.ipv6.neigh.lo.delay_first_probe_time = 5
net.ipv6.neigh.lo.gc_stale_time = 60
net.ipv6.neigh.lo.locktime = 0
net.ipv6.neigh.lo.mcast_resolicit = 0
net.ipv6.neigh.lo.mcast_solicit = 3
net.ipv6.neigh.lo.proxy_delay = 80
net.ipv6.neigh.lo.proxy_qlen = 64
net.ipv6.neigh.lo.retrans_time_ms = 1000
net.ipv6.neigh.lo.ucast_solicit = 3
net.ipv6.neigh.lo.unres_qlen = 101
net.ipv6.neigh.lo.unres_qlen_bytes = 212992
net.ipv6.route.gc_elasticity = 9
net.ipv6.route.gc_interval = 30
net.ipv6.route.gc_min_interval = 0
net.ipv6.route.gc_min_interval_ms = 500
net.ipv6.route.gc_thresh = 1024
net.ipv6.route.gc_timeout = 60
net.ipv6.route.max_size = 4096
net.ipv6.route.min_adv_mss = 1220
net.ipv6.route.mtu_expires = 600
net.ipv6.seg6_flowlabel = 0
net.ipv6.xfrm6_gc_thresh = 32768

Additional context I already disabled IPV6 on all interfaces

mboelen commented 3 years ago

You say "I already disabled IPV6 on all interfaces". Can you show how you did that with the actual configuration that you have in place now?

yupthatguy commented 3 years ago

In my /etc/sysctl.conf I have the following: net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1

In my /etc/modrpobe.d/blacklist.conf file I have blacklist ipv6

I tried all the other measures to disable ipv6 mentioned in https://wiki.debian.org/KernelModuleBlacklisting

Lynis always says IPv6 is enabled

mboelen commented 3 years ago

Did you also reboot the system and test again?

yupthatguy commented 3 years ago

Many times.. still shows:

- Checking IPv6 configuration                               [ ENABLED ]
      Configuration method                                    [ AUTO ]
      IPv6 only                                               [ NO ]
github-actions[bot] commented 3 years ago

Stale issue message

yupthatguy commented 3 years ago

What additional information do you need? How should I confirm this? The problem happens in both my virtualbox devbian 10.5 test machine and on my prod server (also debian 10.5).

silentcreek commented 3 years ago

@mboelen The report is generally correct, even though the title is not precise. Test NETW-2600 merely checks for the presence of any sysctl parameters starting with net.ipv6 and if it finds any, it assumes IPv6 is enabled which is not correct. If all net.ipv6.conf.*.disable_ipv6 parameters are set to 1, then IPv6 is effectively disabled. Please note, that this setting must be checked for all interfaces, because if net.ipv6.conf.all.disable_ipv6=1 and net.ipv6.conf.default.disable_ipv6=1 are applied after an interface is set up, then the interface will still have IPv6 enabled.

@yupthatguy A few remarks on your configuration:

  1. net.ipv6.conf.lo.disable_ipv6=1 shouldn't be needed if your sysctl settings are applied early enough in the boot process. If they aren't, it might even be safer to list all interfaces explicitly in order to avoid race conditions where the interface is set up before your sysctl settings are applied.
  2. blacklist ipv6 in your modprobe configuration is unfortunately not effective. This only prevents loading the module directly. But if a different module is loaded that depends on ipv6, then the ipv6 module will still be loaded which is also why you see all the ipv6 settings in your sysctl output. If you really want to blacklist a module, you should do a fake install by replacing your blacklist statement with install ipv6 /bin/true. This is also why I said above, that the title of your issue is not precise. It should better be "Lynis ignores IPv6 disabled state" or so.
  3. It is easier or "cleaner", however, to disable IPv6 from the kernel command line. See e.g. https://www.techrepublic.com/article/how-to-disable-ipv6-through-grub-in-linux/ This approach ensures that the ipv6 module and subsystem aren't loaded and sysctl -a | grep "^net.ipv6" will return nothing which also makes lynis happy and would work around your false positive report.
yupthatguy commented 3 years ago

Thanks for the reply. I will give the grub edit method a try and let you know.

yupthatguy commented 3 years ago

The grub method of disabling IPv6 works like a charm... Lynis now recognizes that IPV6 is disabled. However, there was one mild "side-effect" that folks should be aware of.

Using the grub method to disable IPv6 resulted in dovecot service to fail. However, it was easy enough to fix:

nano /etc/dovecot/dovecot.conf

change: listen = *, ::

to

listen = *

Then,

systemctl restart dovecot

And life is good again..