Puppet Class: cis_security_hardening::rules::disable_ipv6

Defined in:
manifests/rules/disable_ipv6.pp

Summary

Disable IPv6

Overview

Although IPv6 has many advantages over IPv4, not all organizations have IPv6 or dual stack configurations implemented.

Rationale: If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system.

Examples:

class { 'cis_security_hardening::rules::disable_ipv6':
    enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule



18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
 
# File 'manifests/rules/disable_ipv6.pp', line 18

class cis_security_hardening::rules::disable_ipv6 (
  Boolean $enforce = false,
) {
  if $enforce {
    kernel_parameter { 'ipv6.disable':
      value => '1',
    }

    if fact('network6') != undef {
      sysctl { 'net.ipv6.conf.all.disable_ipv6':
        ensure    => present,
        permanent => 'yes',
        value     => 1,
      }
      sysctl { 'net.ipv6.conf.default.disable_ipv6':
        ensure    => present,
        permanent => 'yes',
        value     => 1,
      }
    }
  }
}