|
 |
d10e36 |
From d5673795ba2f87ae1649c84591ee13d7876af0b2 Mon Sep 17 00:00:00 2001
|
|
|
d10e36 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
d10e36 |
Date: Wed, 13 Jan 2021 14:01:03 +0100
|
|
|
d10e36 |
Subject: [PATCH 1/3] add rule
|
|
|
d10e36 |
|
|
|
d10e36 |
---
|
|
|
d10e36 |
.../sysctl_kernel_modules_disabled/rule.yml | 34 +++++++++++++++++++
|
|
|
d10e36 |
1 file changed, 34 insertions(+)
|
|
|
d10e36 |
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
|
|
d10e36 |
|
|
|
d10e36 |
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
|
|
d10e36 |
new file mode 100644
|
|
|
d10e36 |
index 0000000000..1811c43815
|
|
|
d10e36 |
--- /dev/null
|
|
|
d10e36 |
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
|
|
|
d10e36 |
@@ -0,0 +1,34 @@
|
|
|
d10e36 |
+documentation_complete: true
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+prodtype: fedora,ol8,rhel7,rhel8
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+title: 'Disable loading and unloading of kernel modules'
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.modules_disabled", value="1") }}}'
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+rationale: |-
|
|
|
d10e36 |
+ Malicious kernel modules can have a significant impact on system security and
|
|
|
d10e36 |
+ availability. Disabling loading of kernel modules prevents this threat. Note
|
|
|
d10e36 |
+ that once this option has been set, it cannot be reverted without doing a
|
|
|
d10e36 |
+ system reboot. Make sure that all needed kernel modules are loaded before
|
|
|
d10e36 |
+ setting this option.
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+severity: medium
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+identifiers:
|
|
|
d10e36 |
+ cce@rhel7: CCE-83392-1
|
|
|
d10e36 |
+ cce@rhel8: CCE-83397-0
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+references:
|
|
|
d10e36 |
+ anssi: BP28(R24)
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.modules_disabled", value="1") }}}
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+platform: machine
|
|
|
d10e36 |
+
|
|
|
d10e36 |
+template:
|
|
|
d10e36 |
+ name: sysctl
|
|
|
d10e36 |
+ vars:
|
|
|
d10e36 |
+ sysctlvar: kernel.modules_disabled
|
|
|
d10e36 |
+ sysctlval: '1'
|
|
|
d10e36 |
+ datatype: int
|
|
|
d10e36 |
|
|
|
d10e36 |
From 5e4f6a4a0b70c07488595080cfd98fdbfb02e352 Mon Sep 17 00:00:00 2001
|
|
|
d10e36 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
d10e36 |
Date: Wed, 13 Jan 2021 14:01:15 +0100
|
|
|
d10e36 |
Subject: [PATCH 2/3] add rule to anssi profile
|
|
|
d10e36 |
|
|
|
d10e36 |
---
|
|
|
d10e36 |
controls/anssi.yml | 3 ++-
|
|
|
d10e36 |
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
d10e36 |
|
|
|
d10e36 |
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
|
|
d10e36 |
index 9e2b899b6d..f435459af3 100644
|
|
|
d10e36 |
--- a/controls/anssi.yml
|
|
|
d10e36 |
+++ b/controls/anssi.yml
|
|
|
d10e36 |
@@ -483,7 +483,8 @@ controls:
|
|
|
d10e36 |
sysctl kernel.modules_disabledconf:
|
|
|
d10e36 |
Prohibition of loading modules (except those already loaded to this point)
|
|
|
d10e36 |
kernel.modules_disabled = 1
|
|
|
d10e36 |
- # rules: TBD
|
|
|
d10e36 |
+ rules:
|
|
|
d10e36 |
+ - sysctl_kernel_modules_disabled
|
|
|
d10e36 |
|
|
|
d10e36 |
- id: R25
|
|
|
d10e36 |
level: enhanced
|
|
|
d10e36 |
|