Add option to disable the entire IPv6 stack functionality

README.md

@@ -113,6 +113,8 @@ configuration file.
 -   Obtain more entropy at boot from RAM as the runtime memory allocator is 
     being initialised.
 
+-   Provide option to disable the entire IPv6 stack to reduce attack surface.
+
 Disallow sensitive kernel information leaks in the console during boot. See
 the `/etc/default/grub.d/40_quiet_boot.cfg` configuration file.
 

etc/default/grub.d/40_kernel_hardening.cfg

@@ -9,6 +9,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru
 ## 1. Kernel Space
 ## 2. Direct Memory Access
 ## 3. Entropy
+## 4. Networking
 
 ## See the documentation below for details on the majority of the selected commands.
 ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
@@ -171,3 +172,17 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"
 ## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
+
+## 4. Networking
+##
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters
+
+## Disable the entire IPv6 stack functionality.
+## Removes attack surface associated with the IPv6 module.
+## 
+## https://www.kernel.org/doc/html/latest/networking/ipv6.html
+## https://wiki.archlinux.org/title/IPv6#Disable_IPv6
+##
+## Enabling makes redundant many network hardening sysctl's in usr/lib/sysctl.d/990-security-misc.conf.
+##
+#ipv6.disable=1