V-38546: Disable IPv6 system-wide

This is a serious change to consider and it requires a deployer to opt-in.

Implements: blueprint security-hardening

Change-Id: I7e387ea5cacd1dd67419c3a3d2474bf37357d097

defaults/main.yml

@@ -196,3 +196,9 @@ sysctl_tunable:
 # See the documentation for V-38622 for more details.
 #
 postfix_inet_interfaces: localhost                # V-38622
+
+## Disabling IPv6
+# Deployers who wish to disable IPv6 entirely must set this configuration
+# variable to 'yes'. See the documentation for V-38546 before making this
+# change.
+disable_ipv6: no                                  # V-38546

doc/source/developer-notes/V-38546.rst

@@ -0,0 +1,14 @@
+**Opt-in required**
+
+The STIG requires IPv6 to be disabled system-wide unless it is needed for the
+system to operate. Deployers must consider how their network is configured
+before disabling IPv6 entirely.
+
+To opt-in for this change, set the following Ansible variable to ``yes``:
+
+.. code-block:: yaml
+
+    disable_ipv6: yes
+
+**NOTE:** This change will go into effect **immediately** on the system and
+persist through reboots.

tasks/kernel.yml

@@ -149,6 +149,21 @@
     - cat2
     - V-38517
 
+- name: Disable IPv6
+  sysctl:
+    name: "{{ item }}"
+    value: 1
+    state: present
+    sysctl_set: yes
+  with_items:
+    - net.ipv6.conf.all.disable_ipv6
+    - net.ipv6.conf.default.disable_ipv6
+  when: disable_ipv6 | bool
+  tags:
+    - kernel
+    - cat2
+    - V-38546
+
 - name: V-38682 - Disable bluetooth module
   copy:
     src: V-38682-modprobe.conf