--- title: Disable Kernel Parameter for IPv6 Forwarding by default description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > Disable Kernel Parameter for IPv6 Forwarding by default --- # Disable Kernel Parameter for IPv6 Forwarding by default ## Description{% #description %} To set the runtime status of the `net.ipv6.conf.default.forwarding` kernel parameter, run the following command: ``` $ sudo sysctl -w net.ipv6.conf.default.forwarding=0 ``` To make sure that the setting is persistent, add the following line to a file in the directory `/etc/sysctl.d`: ``` net.ipv6.conf.default.forwarding = 0 ``` ## Rationale{% #rationale %} IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. ## Remediation{% #remediation %} ### Shell script{% #shell-script %} The following script can be run on the host to remediate the issue. ```bash #!/bin/bash # Remediation is applicable only in certain platforms if rpm --quiet -q kernel-core; then # Comment out any occurrences of net.ipv6.conf.default.forwarding from /etc/sysctl.d/*.conf files for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*net.ipv6.conf.default.forwarding.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "net.ipv6.conf.default.forwarding" matches to preserve user data sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done # # Set sysctl config file which to save the desired value # SYSCONFIG_FILE="/etc/sysctl.conf" sysctl_net_ipv6_conf_default_forwarding_value='0' # # Set runtime for net.ipv6.conf.default.forwarding # if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then /sbin/sysctl -q -n -w net.ipv6.conf.default.forwarding="$sysctl_net_ipv6_conf_default_forwarding_value" fi # # If net.ipv6.conf.default.forwarding present in /etc/sysctl.conf, change value to appropriate value # else, add "net.ipv6.conf.default.forwarding = value" to /etc/sysctl.conf # # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.forwarding") # shellcheck disable=SC2059 printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_net_ipv6_conf_default_forwarding_value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.forwarding\\>" "${SYSCONFIG_FILE}"; then escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.forwarding\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}" else if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}" fi cce="CCE-87075-8" printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}" printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}" fi else >&2 echo 'Remediation is not applicable, nothing was done' fi ``` ### Ansible playbook{% #ansible-playbook %} The following playbook can be run with Ansible to remediate the issue. ```gdscript3 - name: Gather the package facts package_facts: manager: auto tags: - CCE-87075-8 - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_forwarding - name: XCCDF Value sysctl_net_ipv6_conf_default_forwarding_value # promote to variable set_fact: sysctl_net_ipv6_conf_default_forwarding_value: !!str 0 tags: - always - name: Disable Kernel Parameter for IPv6 Forwarding by default - Set fact for sysctl paths ansible.builtin.set_fact: sysctl_paths: - /etc/sysctl.d/ - /run/sysctl.d/ - /usr/local/lib/sysctl.d/ when: '"kernel-core" in ansible_facts.packages' tags: - CCE-87075-8 - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_forwarding - name: Disable Kernel Parameter for IPv6 Forwarding by default - Find all files that contain net.ipv6.conf.default.forwarding ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.forwarding\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false failed_when: false when: '"kernel-core" in ansible_facts.packages' tags: - CCE-87075-8 - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_forwarding - name: Disable Kernel Parameter for IPv6 Forwarding by default - Find all files that set net.ipv6.conf.default.forwarding to correct value ansible.builtin.shell: cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*net.ipv6.conf.default.forwarding\s*=\s*{{ sysctl_net_ipv6_conf_default_forwarding_value }}$' register: find_correct_value check_mode: false changed_when: false failed_when: false when: '"kernel-core" in ansible_facts.packages' tags: - CCE-87075-8 - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_forwarding - name: Disable Kernel Parameter for IPv6 Forwarding by default - Comment out any occurrences of net.ipv6.conf.default.forwarding from config files ansible.builtin.replace: path: '{{ item | split(":") | first }}' regexp: ^[\s]*net.ipv6.conf.default.forwarding replace: '#net.ipv6.conf.default.forwarding' loop: '{{ find_all_values.stdout_lines }}' when: - '"kernel-core" in ansible_facts.packages' - find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length tags: - CCE-87075-8 - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_forwarding - name: Disable Kernel Parameter for IPv6 Forwarding by default - Ensure sysctl net.ipv6.conf.default.forwarding is set ansible.posix.sysctl: name: net.ipv6.conf.default.forwarding value: '{{ sysctl_net_ipv6_conf_default_forwarding_value }}' sysctl_file: /etc/sysctl.conf state: present reload: true when: '"kernel-core" in ansible_facts.packages' tags: - CCE-87075-8 - NIST-800-53-CM-6(b) - NIST-800-53-CM-6.1(iv) - disable_strategy - low_complexity - medium_disruption - medium_severity - reboot_required - sysctl_net_ipv6_conf_default_forwarding ```