Add option to disable the entire IPv6 stack functionality

2025-01-15 23:07:09 -05:00 · 2024-07-15 01:59:04 +10:00 · 2024-07-15 01:59:04 +10:00 · f550fbe07c
commit f550fbe07c
parent a33d4cd099
2 changed files with 17 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -113,6 +113,8 @@ configuration file.
 -   Obtain more entropy at boot from RAM as the runtime memory allocator is 
    being initialised.

+-   Provide option to disable the entire IPv6 stack to reduce attack surface.
+
 Disallow sensitive kernel information leaks in the console during boot. See
 the `/etc/default/grub.d/40_quiet_boot.cfg` configuration file.

--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -9,6 +9,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru
 ## 1. Kernel Space
 ## 2. Direct Memory Access
 ## 3. Entropy
+## 4. Networking

 ## See the documentation below for details on the majority of the selected commands.
 ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
@ -171,3 +172,17 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"
 ## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
+
+## 4. Networking
+##
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters
+
+## Disable the entire IPv6 stack functionality.
+## Removes attack surface associated with the IPv6 module.
+## 
+## https://www.kernel.org/doc/html/latest/networking/ipv6.html
+## https://wiki.archlinux.org/title/IPv6#Disable_IPv6
+##
+## Enabling makes redundant many network hardening sysctl's in usr/lib/sysctl.d/990-security-misc.conf.
+##
+#ipv6.disable=1