Merge "CIS 3.3.3 Ensure IPv6 is disabled"
diff --git a/metadata/service/system/cis/cis-3-3-3.yml b/metadata/service/system/cis/cis-3-3-3.yml
new file mode 100644
index 0000000..8ae2903
--- /dev/null
+++ b/metadata/service/system/cis/cis-3-3-3.yml
@@ -0,0 +1,35 @@
+# CIS 3.3.3 Ensure IPv6 is disabled
+#
+# Description
+# ===========
+# Although IPv6 has many advantages over IPv4, few organizations have
+# implemented IPv6.
+#
+# Rationale
+# =========
+# If IPv6 is not to be used, it is recommended that it be disabled to
+# reduce the attack surface of the system.
+#
+# Audit
+# ======
+# Run the following command and verify that each linux line has
+# the 'ipv6.disable=1' parameter set:
+#
+# # grep "^\s*linux" /boot/grub/grub.cfg
+#
+# Remediation
+# ===========
+# Edit /etc/default/grub and add 'ipv6.disable=1' to GRUB_CMDLINE_LINUX:
+#
+# GRUB_CMDLINE_LINUX="ipv6.disable=1"
+#
+# Run the following command to update the grub2 configuration:
+#
+# # update-grub
+#
+parameters:
+ linux:
+ system:
+ kernel:
+ boot_options:
+ - ipv6.disable=1
diff --git a/metadata/service/system/cis/init.yml b/metadata/service/system/cis/init.yml
new file mode 100644
index 0000000..fa119a2
--- /dev/null
+++ b/metadata/service/system/cis/init.yml
@@ -0,0 +1,2 @@
+classes:
+- service.linux.system.cis.cis-3-3-3