STIGQter STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

RHEL 8 must not accept router advertisements on all IPv6 interfaces.

DISA Rule

SV-230541r627750_rule

Vulnerability Number

V-230541

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

RHEL-08-040261

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces unless the system is a router with the following commands:

$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0

If "0" is not the system's default value then add or update the following lines in the appropriate file under "/etc/sysctl.d":

net.ipv6.conf.all.accept_ra=0

Check Contents

Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router.

Note: If IPv6 is disabled on the system, this requirement is not applicable.

Check to see if router advertisements are not accepted by using the following command:

$ sudo sysctl net.ipv6.conf.all.accept_ra

net.ipv6.conf.all.accept_ra = 0

If the "accept_ra" value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Vulnerability Number

V-230541

Documentable

False

Rule Version

RHEL-08-040261

Severity Override Guidance

Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router.

Note: If IPv6 is disabled on the system, this requirement is not applicable.

Check to see if router advertisements are not accepted by using the following command:

$ sudo sysctl net.ipv6.conf.all.accept_ra

net.ipv6.conf.all.accept_ra = 0

If the "accept_ra" value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Check Content Reference

M

Target Key

2921

Comments