Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lynis Ignores IPV6 Kernel Blacklisting #1146

Open
yupthatguy opened this issue May 6, 2021 · 9 comments
Open

Lynis Ignores IPV6 Kernel Blacklisting #1146

yupthatguy opened this issue May 6, 2021 · 9 comments
Assignees
@mboelen
Labels
needs-confirmation no-issue-activity

Comments

@yupthatguy
Copy link

Describe the bug

Lynis ignores kernel blacklisting of IPv6

I have disabled (blacklisted) the IPV6 kernel module in multiple ways, rebooting multiple times:

https://wiki.debian.org/KernelModuleBlacklisting

But regardless of whatever method that I use, lynis still shows:

[+] Networking

- Checking IPv6 configuration [ ENABLED ]
Configuration method [ AUTO ]
IPv6 only [ NO ]

Version

  • Distribution Debian 10
  • Lynis version 3.0.3

Expected behavior
Lynis at some point should confirm that IPV6 is disabled at the kernel level

Output
If applicable, add output that you get from the tool or the related section of lynis.log

The output of # sysctl -a | grep "^net.ipv6" is :

net.ipv6.anycast_src_echo_reply = 0
net.ipv6.auto_flowlabels = 1
net.ipv6.bindv6only = 0
net.ipv6.conf.all.accept_dad = 0
net.ipv6.conf.all.accept_ra = 1
net.ipv6.conf.all.accept_ra_defrtr = 1
net.ipv6.conf.all.accept_ra_from_local = 0
net.ipv6.conf.all.accept_ra_min_hop_limit = 1
net.ipv6.conf.all.accept_ra_mtu = 1
net.ipv6.conf.all.accept_ra_pinfo = 1
net.ipv6.conf.all.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.all.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.all.accept_ra_rtr_pref = 1
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.all.addr_gen_mode = 0
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.dad_transmits = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.all.disable_policy = 0
net.ipv6.conf.all.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.all.drop_unsolicited_na = 0
net.ipv6.conf.all.enhanced_dad = 1
net.ipv6.conf.all.force_mld_version = 0
net.ipv6.conf.all.force_tllao = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.hop_limit = 64
net.ipv6.conf.all.ignore_routes_with_linkdown = 0
net.ipv6.conf.all.keep_addr_on_down = 0
net.ipv6.conf.all.max_addresses = 16
net.ipv6.conf.all.max_desync_factor = 600
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.all.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.all.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.all.mtu = 1280
net.ipv6.conf.all.ndisc_notify = 0
net.ipv6.conf.all.ndisc_tclass = 0
net.ipv6.conf.all.optimistic_dad = 0
net.ipv6.conf.all.proxy_ndp = 0
net.ipv6.conf.all.regen_max_retry = 3
net.ipv6.conf.all.router_probe_interval = 60
net.ipv6.conf.all.router_solicitation_delay = 1
net.ipv6.conf.all.router_solicitation_interval = 4
net.ipv6.conf.all.router_solicitation_max_interval = 3600
net.ipv6.conf.all.router_solicitations = -1
net.ipv6.conf.all.seg6_enabled = 0
net.ipv6.conf.all.seg6_require_hmac = 0
net.ipv6.conf.all.suppress_frag_ndisc = 1
net.ipv6.conf.all.temp_prefered_lft = 86400
net.ipv6.conf.all.temp_valid_lft = 604800
net.ipv6.conf.all.use_oif_addrs_only = 0
net.ipv6.conf.all.use_optimistic = 0
net.ipv6.conf.all.use_tempaddr = 0
net.ipv6.conf.default.accept_dad = 1
net.ipv6.conf.default.accept_ra = 1
net.ipv6.conf.default.accept_ra_defrtr = 1
net.ipv6.conf.default.accept_ra_from_local = 0
net.ipv6.conf.default.accept_ra_min_hop_limit = 1
net.ipv6.conf.default.accept_ra_mtu = 1
net.ipv6.conf.default.accept_ra_pinfo = 1
net.ipv6.conf.default.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.default.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 1
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.default.addr_gen_mode = 0
net.ipv6.conf.default.autoconf = 1
net.ipv6.conf.default.dad_transmits = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.default.disable_policy = 0
net.ipv6.conf.default.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.default.drop_unsolicited_na = 0
net.ipv6.conf.default.enhanced_dad = 1
net.ipv6.conf.default.force_mld_version = 0
net.ipv6.conf.default.force_tllao = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.hop_limit = 64
net.ipv6.conf.default.ignore_routes_with_linkdown = 0
net.ipv6.conf.default.keep_addr_on_down = 0
net.ipv6.conf.default.max_addresses = 16
net.ipv6.conf.default.max_desync_factor = 600
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.default.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.default.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.default.mtu = 1280
net.ipv6.conf.default.ndisc_notify = 0
net.ipv6.conf.default.ndisc_tclass = 0
net.ipv6.conf.default.optimistic_dad = 0
net.ipv6.conf.default.proxy_ndp = 0
net.ipv6.conf.default.regen_max_retry = 3
net.ipv6.conf.default.router_probe_interval = 60
net.ipv6.conf.default.router_solicitation_delay = 1
net.ipv6.conf.default.router_solicitation_interval = 4
net.ipv6.conf.default.router_solicitation_max_interval = 3600
net.ipv6.conf.default.router_solicitations = -1
net.ipv6.conf.default.seg6_enabled = 0
net.ipv6.conf.default.seg6_require_hmac = 0
net.ipv6.conf.default.suppress_frag_ndisc = 1
net.ipv6.conf.default.temp_prefered_lft = 86400
net.ipv6.conf.default.temp_valid_lft = 604800
net.ipv6.conf.default.use_oif_addrs_only = 0
net.ipv6.conf.default.use_optimistic = 0
net.ipv6.conf.default.use_tempaddr = 0
net.ipv6.conf.enp0s17.accept_dad = 1
net.ipv6.conf.enp0s17.accept_ra = 1
net.ipv6.conf.enp0s17.accept_ra_defrtr = 1
net.ipv6.conf.enp0s17.accept_ra_from_local = 0
net.ipv6.conf.enp0s17.accept_ra_min_hop_limit = 1
net.ipv6.conf.enp0s17.accept_ra_mtu = 1
net.ipv6.conf.enp0s17.accept_ra_pinfo = 1
net.ipv6.conf.enp0s17.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.enp0s17.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.enp0s17.accept_ra_rtr_pref = 1
net.ipv6.conf.enp0s17.accept_redirects = 1
net.ipv6.conf.enp0s17.accept_source_route = 0
net.ipv6.conf.enp0s17.addr_gen_mode = 0
net.ipv6.conf.enp0s17.autoconf = 1
net.ipv6.conf.enp0s17.dad_transmits = 1
net.ipv6.conf.enp0s17.disable_ipv6 = 1
net.ipv6.conf.enp0s17.disable_policy = 0
net.ipv6.conf.enp0s17.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.enp0s17.drop_unsolicited_na = 0
net.ipv6.conf.enp0s17.enhanced_dad = 1
net.ipv6.conf.enp0s17.force_mld_version = 0
net.ipv6.conf.enp0s17.force_tllao = 0
net.ipv6.conf.enp0s17.forwarding = 0
net.ipv6.conf.enp0s17.hop_limit = 64
net.ipv6.conf.enp0s17.ignore_routes_with_linkdown = 0
net.ipv6.conf.enp0s17.keep_addr_on_down = 0
net.ipv6.conf.enp0s17.max_addresses = 16
net.ipv6.conf.enp0s17.max_desync_factor = 600
net.ipv6.conf.enp0s17.mc_forwarding = 0
net.ipv6.conf.enp0s17.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.enp0s17.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.enp0s17.mtu = 1500
net.ipv6.conf.enp0s17.ndisc_notify = 0
net.ipv6.conf.enp0s17.ndisc_tclass = 0
net.ipv6.conf.enp0s17.optimistic_dad = 0
net.ipv6.conf.enp0s17.proxy_ndp = 0
net.ipv6.conf.enp0s17.regen_max_retry = 3
net.ipv6.conf.enp0s17.router_probe_interval = 60
net.ipv6.conf.enp0s17.router_solicitation_delay = 1
net.ipv6.conf.enp0s17.router_solicitation_interval = 4
net.ipv6.conf.enp0s17.router_solicitation_max_interval = 3600
net.ipv6.conf.enp0s17.router_solicitations = -1
net.ipv6.conf.enp0s17.seg6_enabled = 0
net.ipv6.conf.enp0s17.seg6_require_hmac = 0
net.ipv6.conf.enp0s17.suppress_frag_ndisc = 1
net.ipv6.conf.enp0s17.temp_prefered_lft = 86400
net.ipv6.conf.enp0s17.temp_valid_lft = 604800
net.ipv6.conf.enp0s17.use_oif_addrs_only = 0
net.ipv6.conf.enp0s17.use_optimistic = 0
net.ipv6.conf.enp0s17.use_tempaddr = 0
net.ipv6.conf.enp0s8.accept_dad = 1
net.ipv6.conf.enp0s8.accept_ra = 1
net.ipv6.conf.enp0s8.accept_ra_defrtr = 1
net.ipv6.conf.enp0s8.accept_ra_from_local = 0
net.ipv6.conf.enp0s8.accept_ra_min_hop_limit = 1
net.ipv6.conf.enp0s8.accept_ra_mtu = 1
net.ipv6.conf.enp0s8.accept_ra_pinfo = 1
net.ipv6.conf.enp0s8.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.enp0s8.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.enp0s8.accept_ra_rtr_pref = 1
net.ipv6.conf.enp0s8.accept_redirects = 1
net.ipv6.conf.enp0s8.accept_source_route = 0
net.ipv6.conf.enp0s8.addr_gen_mode = 0
net.ipv6.conf.enp0s8.autoconf = 1
net.ipv6.conf.enp0s8.dad_transmits = 1
net.ipv6.conf.enp0s8.disable_ipv6 = 1
net.ipv6.conf.enp0s8.disable_policy = 0
net.ipv6.conf.enp0s8.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.enp0s8.drop_unsolicited_na = 0
net.ipv6.conf.enp0s8.enhanced_dad = 1
net.ipv6.conf.enp0s8.force_mld_version = 0
net.ipv6.conf.enp0s8.force_tllao = 0
net.ipv6.conf.enp0s8.forwarding = 0
net.ipv6.conf.enp0s8.hop_limit = 64
net.ipv6.conf.enp0s8.ignore_routes_with_linkdown = 0
net.ipv6.conf.enp0s8.keep_addr_on_down = 0
net.ipv6.conf.enp0s8.max_addresses = 16
net.ipv6.conf.enp0s8.max_desync_factor = 600
net.ipv6.conf.enp0s8.mc_forwarding = 0
net.ipv6.conf.enp0s8.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.enp0s8.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.enp0s8.mtu = 1500
net.ipv6.conf.enp0s8.ndisc_notify = 0
net.ipv6.conf.enp0s8.ndisc_tclass = 0
net.ipv6.conf.enp0s8.optimistic_dad = 0
net.ipv6.conf.enp0s8.proxy_ndp = 0
net.ipv6.conf.enp0s8.regen_max_retry = 3
net.ipv6.conf.enp0s8.router_probe_interval = 60
net.ipv6.conf.enp0s8.router_solicitation_delay = 1
net.ipv6.conf.enp0s8.router_solicitation_interval = 4
net.ipv6.conf.enp0s8.router_solicitation_max_interval = 3600
net.ipv6.conf.enp0s8.router_solicitations = -1
net.ipv6.conf.enp0s8.seg6_enabled = 0
net.ipv6.conf.enp0s8.seg6_require_hmac = 0
net.ipv6.conf.enp0s8.suppress_frag_ndisc = 1
net.ipv6.conf.enp0s8.temp_prefered_lft = 86400
net.ipv6.conf.enp0s8.temp_valid_lft = 604800
net.ipv6.conf.enp0s8.use_oif_addrs_only = 0
net.ipv6.conf.enp0s8.use_optimistic = 0
net.ipv6.conf.enp0s8.use_tempaddr = 0
net.ipv6.conf.lo.accept_dad = -1
net.ipv6.conf.lo.accept_ra = 1
net.ipv6.conf.lo.accept_ra_defrtr = 1
net.ipv6.conf.lo.accept_ra_from_local = 0
net.ipv6.conf.lo.accept_ra_min_hop_limit = 1
net.ipv6.conf.lo.accept_ra_mtu = 1
net.ipv6.conf.lo.accept_ra_pinfo = 1
net.ipv6.conf.lo.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.lo.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.lo.accept_ra_rtr_pref = 1
net.ipv6.conf.lo.accept_redirects = 1
net.ipv6.conf.lo.accept_source_route = 0
net.ipv6.conf.lo.addr_gen_mode = 0
net.ipv6.conf.lo.autoconf = 1
net.ipv6.conf.lo.dad_transmits = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.lo.disable_policy = 0
net.ipv6.conf.lo.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.lo.drop_unsolicited_na = 0
net.ipv6.conf.lo.enhanced_dad = 1
net.ipv6.conf.lo.force_mld_version = 0
net.ipv6.conf.lo.force_tllao = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.hop_limit = 64
net.ipv6.conf.lo.ignore_routes_with_linkdown = 0
net.ipv6.conf.lo.keep_addr_on_down = 0
net.ipv6.conf.lo.max_addresses = 16
net.ipv6.conf.lo.max_desync_factor = 600
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.lo.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.lo.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.lo.mtu = 65536
net.ipv6.conf.lo.ndisc_notify = 0
net.ipv6.conf.lo.ndisc_tclass = 0
net.ipv6.conf.lo.optimistic_dad = 0
net.ipv6.conf.lo.proxy_ndp = 0
net.ipv6.conf.lo.regen_max_retry = 3
net.ipv6.conf.lo.router_probe_interval = 60
net.ipv6.conf.lo.router_solicitation_delay = 1
net.ipv6.conf.lo.router_solicitation_interval = 4
net.ipv6.conf.lo.router_solicitation_max_interval = 3600
net.ipv6.conf.lo.router_solicitations = -1
net.ipv6.conf.lo.seg6_enabled = 0
net.ipv6.conf.lo.seg6_require_hmac = 0
net.ipv6.conf.lo.suppress_frag_ndisc = 1
net.ipv6.conf.lo.temp_prefered_lft = 86400
net.ipv6.conf.lo.temp_valid_lft = 604800
net.ipv6.conf.lo.use_oif_addrs_only = 0
net.ipv6.conf.lo.use_optimistic = 0
net.ipv6.conf.lo.use_tempaddr = -1
net.ipv6.fib_multipath_hash_policy = 0
net.ipv6.flowlabel_consistency = 1
net.ipv6.flowlabel_reflect = 0
net.ipv6.flowlabel_state_ranges = 0
net.ipv6.fwmark_reflect = 0
net.ipv6.icmp.echo_ignore_all = 0
net.ipv6.icmp.ratelimit = 1000
net.ipv6.idgen_delay = 1
net.ipv6.idgen_retries = 3
net.ipv6.ip6frag_high_thresh = 4194304
net.ipv6.ip6frag_low_thresh = 3145728
net.ipv6.ip6frag_secret_interval = 0
net.ipv6.ip6frag_time = 60
net.ipv6.ip_nonlocal_bind = 0
net.ipv6.max_dst_opts_length = 2147483647
net.ipv6.max_dst_opts_number = 8
net.ipv6.max_hbh_length = 2147483647
net.ipv6.max_hbh_opts_number = 8
net.ipv6.mld_max_msf = 64
net.ipv6.mld_qrv = 2
net.ipv6.neigh.default.anycast_delay = 100
net.ipv6.neigh.default.app_solicit = 0
net.ipv6.neigh.default.base_reachable_time_ms = 30000
net.ipv6.neigh.default.delay_first_probe_time = 5
net.ipv6.neigh.default.gc_interval = 30
net.ipv6.neigh.default.gc_stale_time = 60
net.ipv6.neigh.default.gc_thresh1 = 128
net.ipv6.neigh.default.gc_thresh2 = 512
net.ipv6.neigh.default.gc_thresh3 = 1024
net.ipv6.neigh.default.locktime = 0
net.ipv6.neigh.default.mcast_resolicit = 0
net.ipv6.neigh.default.mcast_solicit = 3
net.ipv6.neigh.default.proxy_delay = 80
net.ipv6.neigh.default.proxy_qlen = 64
net.ipv6.neigh.default.retrans_time_ms = 1000
net.ipv6.neigh.default.ucast_solicit = 3
net.ipv6.neigh.default.unres_qlen = 101
net.ipv6.neigh.default.unres_qlen_bytes = 212992
net.ipv6.neigh.enp0s17.anycast_delay = 100
net.ipv6.neigh.enp0s17.app_solicit = 0
net.ipv6.neigh.enp0s17.base_reachable_time_ms = 30000
net.ipv6.neigh.enp0s17.delay_first_probe_time = 5
net.ipv6.neigh.enp0s17.gc_stale_time = 60
net.ipv6.neigh.enp0s17.locktime = 0
net.ipv6.neigh.enp0s17.mcast_resolicit = 0
net.ipv6.neigh.enp0s17.mcast_solicit = 3
net.ipv6.neigh.enp0s17.proxy_delay = 80
net.ipv6.neigh.enp0s17.proxy_qlen = 64
net.ipv6.neigh.enp0s17.retrans_time_ms = 1000
net.ipv6.neigh.enp0s17.ucast_solicit = 3
net.ipv6.neigh.enp0s17.unres_qlen = 101
net.ipv6.neigh.enp0s17.unres_qlen_bytes = 212992
net.ipv6.neigh.enp0s8.anycast_delay = 100
net.ipv6.neigh.enp0s8.app_solicit = 0
net.ipv6.neigh.enp0s8.base_reachable_time_ms = 30000
net.ipv6.neigh.enp0s8.delay_first_probe_time = 5
net.ipv6.neigh.enp0s8.gc_stale_time = 60
net.ipv6.neigh.enp0s8.locktime = 0
net.ipv6.neigh.enp0s8.mcast_resolicit = 0
net.ipv6.neigh.enp0s8.mcast_solicit = 3
net.ipv6.neigh.enp0s8.proxy_delay = 80
net.ipv6.neigh.enp0s8.proxy_qlen = 64
net.ipv6.neigh.enp0s8.retrans_time_ms = 1000
net.ipv6.neigh.enp0s8.ucast_solicit = 3
net.ipv6.neigh.enp0s8.unres_qlen = 101
net.ipv6.neigh.enp0s8.unres_qlen_bytes = 212992
net.ipv6.neigh.lo.anycast_delay = 100
net.ipv6.neigh.lo.app_solicit = 0
net.ipv6.neigh.lo.base_reachable_time_ms = 30000
net.ipv6.neigh.lo.delay_first_probe_time = 5
net.ipv6.neigh.lo.gc_stale_time = 60
net.ipv6.neigh.lo.locktime = 0
net.ipv6.neigh.lo.mcast_resolicit = 0
net.ipv6.neigh.lo.mcast_solicit = 3
net.ipv6.neigh.lo.proxy_delay = 80
net.ipv6.neigh.lo.proxy_qlen = 64
net.ipv6.neigh.lo.retrans_time_ms = 1000
net.ipv6.neigh.lo.ucast_solicit = 3
net.ipv6.neigh.lo.unres_qlen = 101
net.ipv6.neigh.lo.unres_qlen_bytes = 212992
net.ipv6.route.gc_elasticity = 9
net.ipv6.route.gc_interval = 30
net.ipv6.route.gc_min_interval = 0
net.ipv6.route.gc_min_interval_ms = 500
net.ipv6.route.gc_thresh = 1024
net.ipv6.route.gc_timeout = 60
net.ipv6.route.max_size = 4096
net.ipv6.route.min_adv_mss = 1220
net.ipv6.route.mtu_expires = 600
net.ipv6.seg6_flowlabel = 0
net.ipv6.xfrm6_gc_thresh = 32768

Additional context
I already disabled IPV6 on all interfaces
@mboelen
Copy link
Member

mboelen commented May 11, 2021

You say "I already disabled IPV6 on all interfaces". Can you show how you did that with the actual configuration that you have in place now?

@mboelen mboelen self-assigned this May 11, 2021
@yupthatguy
Copy link
Author

In my /etc/sysctl.conf I have the following:
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1

In my /etc/modrpobe.d/blacklist.conf file I have
blacklist ipv6

I tried all the other measures to disable ipv6 mentioned in
https://wiki.debian.org/KernelModuleBlacklisting

Lynis always says IPv6 is enabled

@mboelen
Copy link
Member

mboelen commented May 14, 2021

Did you also reboot the system and test again?

@yupthatguy
Copy link
Author

Many times.. still shows:

- Checking IPv6 configuration                               [ ENABLED ]
      Configuration method                                    [ AUTO ]
      IPv6 only                                               [ NO ]

@github-actions
Copy link

Stale issue message

@yupthatguy
Copy link
Author

What additional information do you need? How should I confirm this? The problem happens in both my virtualbox devbian 10.5 test machine and on my prod server (also debian 10.5).

@silentcreek
Copy link
Contributor

silentcreek commented Jul 6, 2021
edited
Loading

@mboelen The report is generally correct, even though the title is not precise. Test NETW-2600 merely checks for the presence of any sysctl parameters starting with net.ipv6 and if it finds any, it assumes IPv6 is enabled which is not correct. If all net.ipv6.conf.*.disable_ipv6 parameters are set to 1, then IPv6 is effectively disabled. Please note, that this setting must be checked for all interfaces, because if net.ipv6.conf.all.disable_ipv6=1 and net.ipv6.conf.default.disable_ipv6=1 are applied after an interface is set up, then the interface will still have IPv6 enabled.

@yupthatguy A few remarks on your configuration:

  1. net.ipv6.conf.lo.disable_ipv6=1 shouldn't be needed if your sysctl settings are applied early enough in the boot process. If they aren't, it might even be safer to list all interfaces explicitly in order to avoid race conditions where the interface is set up before your sysctl settings are applied.
  2. blacklist ipv6 in your modprobe configuration is unfortunately not effective. This only prevents loading the module directly. But if a different module is loaded that depends on ipv6, then the ipv6 module will still be loaded which is also why you see all the ipv6 settings in your sysctl output. If you really want to blacklist a module, you should do a fake install by replacing your blacklist statement with install ipv6 /bin/true. This is also why I said above, that the title of your issue is not precise. It should better be "Lynis ignores IPv6 disabled state" or so.
  3. It is easier or "cleaner", however, to disable IPv6 from the kernel command line. See e.g. https://www.techrepublic.com/article/how-to-disable-ipv6-through-grub-in-linux/
    This approach ensures that the ipv6 module and subsystem aren't loaded and sysctl -a | grep "^net.ipv6" will return nothing which also makes lynis happy and would work around your false positive report.

@yupthatguy
Copy link
Author

Thanks for the reply. I will give the grub edit method a try and let you know.

@yupthatguy
Copy link
Author

yupthatguy commented Jul 7, 2021
edited
Loading

The grub method of disabling IPv6 works like a charm... Lynis now recognizes that IPV6 is disabled. However, there was one mild "side-effect" that folks should be aware of.

Using the grub method to disable IPv6 resulted in dovecot service to fail. However, it was easy enough to fix:

#nano /etc/dovecot/dovecot.conf
change:
listen = *, ::

to

listen = *

Then,

#systemctl restart dovecot

And life is good again..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mboelen mboelen

Labels
needs-confirmation no-issue-activity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mboelen @silentcreek @yupthatguy