3.3.2.8 Ensure net.ipv6.conf.default.accept_ra is configured

Information

Routers periodically Multicast Router Advertisement (RA) messages to announce their availability and convey information to neighboring nodes that enable them to be automatically configured on the network.

net.ipv6.conf.default.accept_ra controls accepting IPv6 RA messages on newly added network devices.

More information about the kernel parameter configuration files, their location, and load preference is available in the "Configure Network Kernel Parameters" section overview.

Note: If IPv6 has been disabled, this recommendation is not applicable.

It is recommended that systems do not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes.

Solution

- Run the following command to comment out net.ipv6.conf.default.accept_ra lines returned by the audit procedure that are not net.ipv6.conf.default.accept_ra = 0 :

# sed -ri '^\s*net.ipv6.conf.default.accept_ra\s*=\s*1/s/^/#/g' "path/to/file/in/audit/filename"

Example:

# sed -ri '/^\s*net.ipv6.conf.default.accept_ra\s*=\s*1/s/^/#/g' /etc/sysctl.d/99-sysctl.conf
- Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or add the following line:

net.ipv6.conf.default.accept_ra = 0

Example:

# [ ! -d "/etc/sysctl.d/" ] && mkdir -p /etc/sysctl.d/
# printf '%s\n' "" "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.d/60-ipv6_sysctl.conf
- Run the following command to load all sysctl configuration files:

# sysctl --system

Item Details

Audit Name: CIS Amazon Linux 2 v4.0.0 L1 Server

Category: CONFIGURATION MANAGEMENT

Plugin: Unix

Control ID: 3bf25290b3ce0289efa5fc9a43e6a39575d21264deb32b29b42c43b8736a2eaa

Detections

Analytics

3.3.2.8 Ensure net.ipv6.conf.default.accept_ra is configured

Information

Solution

See Also

Item Details