search

fcaviggia / hardening-script-el6

DISA STIG/USGCB/NSA SNAC Hardening Scripts for Red Hat Enterprise Linux 6
GNU General Public License v2.0
199 stars 84 forks source link

toggle_ipv6 script not functioning as expected #60

Open wlmckeon opened 9 years ago

wlmckeon commented 9 years ago

The toggle_ipv6 script doesn't seem to toggle the ipv6. I think that this is due to the "install ipv6 /bin/false" in the blacklist (placed by misc/blacklist.sh) not being commented out and preventing the ipv6 kernel module from being loaded.

Also, may want to add a section like this for enabling ipv6: grep -q IPV6FORWARDING /etc/sysconfig/network if [ $? -ne 0 ]; then echo "IPV6FORWARDING=yes" >> /etc/sysconfig/network else sed -i "/IPV6FORWARDING/s/no/yes/" /etc/sysconfig/network fi

and do the reverse with disabling ipv6. This prevents the error message "Global IPv6 forwarding is disabled in configuration, but not currently disabled in kernel" from being displayed when restarting the network.

wlmckeon commented 9 years ago

Looking at the Version 1 Revision 8 of the RHEL6 STIG, it looks like that it's not necessary to prevent the kernel module from loading. An easier fix may be just to modify blacklist.sh by removing the line "install ipv6 /bin/false" and just depend on "options ipv6 disable=1" to prevent IPv6 from binding to the network stack.

fcaviggia commented 9 years ago

I'll take a look at it. I'm still all for disabling something if it's not being used.