Align kernel module rules with DISA STIG Benchmarks #8942
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Based on the SLE STIG, the rules need to check for blacklist, not installed.
STIG for RHEL8 and OL8 require that install and blacklist be configured.
Improve the template to, along side the current check, also check for the blacklist keyword. This updates description and OCIL macros to mention the blacklist, along with the check and remediations. The check/remediation for blacklist is enabled for OL and RHEL.
The use of /etc/modprobe.conf was deprecated in RHEL6. https://access.redhat.com/solutions/43486
|
Start a new ephemeral environment with changes proposed in this pull request: |
|
@teacup-on-rockingchair @brett060102 @anivan-suse Hi, are you okay with 0b67d78 It removes the checks for |
yuumasato
commented
Jun 13, 2022
|
This datastream diff is auto generated by the check Click here to see the full diffOVAL definition oval:ssg-kernel_module_atm_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_atm_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_atm_blacklisted:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,10 @@
If the system is configured to prevent the loading of the atm kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf.
+it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
+
+These lines can also instruct the module loading system to ignore the atm kernel module via blacklist keyword.
+
Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r atm /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install atm /bin/true" >> /etc/modprobe.d/atm.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist atm$" /etc/modprobe.d/atm.conf ; then
+ echo "blacklist atm" >> /etc/modprobe.d/atm.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled' differs:
--- old datastream
+++ new datastream
@@ -15,3 +15,21 @@
- medium_disruption
- medium_severity
- reboot_required
+
+- name: Ensure kernel module 'atm' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/atm.conf
+ regexp: ^blacklist atm$
+ line: blacklist atm
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82028-2
+ - DISA-STIG-RHEL-08-040021
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_atm_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
OVAL definition oval:ssg-kernel_module_can_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_can_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_can_blacklisted:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,10 @@
If the system is configured to prevent the loading of the can kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf.
+it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
+
+These lines can also instruct the module loading system to ignore the can kernel module via blacklist keyword.
+
Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r can /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install can /bin/true" >> /etc/modprobe.d/can.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist can$" /etc/modprobe.d/can.conf ; then
+ echo "blacklist can" >> /etc/modprobe.d/can.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled' differs:
--- old datastream
+++ new datastream
@@ -15,3 +15,21 @@
- medium_disruption
- medium_severity
- reboot_required
+
+- name: Ensure kernel module 'can' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/can.conf
+ regexp: ^blacklist can$
+ line: blacklist can
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82059-7
+ - DISA-STIG-RHEL-08-040022
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_can_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
OVAL definition oval:ssg-kernel_module_dccp_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_dccp_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_dccp_blacklisted:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,10 @@
If the system is configured to prevent the loading of the dccp kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf.
+it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
+
+These lines can also instruct the module loading system to ignore the dccp kernel module via blacklist keyword.
+
Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r dccp /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install dccp /bin/true" >> /etc/modprobe.d/dccp.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist dccp$" /etc/modprobe.d/dccp.conf ; then
+ echo "blacklist dccp" >> /etc/modprobe.d/dccp.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled' differs:
--- old datastream
+++ new datastream
@@ -18,3 +18,24 @@
- medium_disruption
- medium_severity
- reboot_required
+
+- name: Ensure kernel module 'dccp' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/dccp.conf
+ regexp: ^blacklist dccp$
+ line: blacklist dccp
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80833-7
+ - CJIS-5.10.1
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_dccp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
OVAL definition oval:ssg-kernel_module_firewire-core_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_firewire-core_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_firewire-core_blacklisted:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,10 @@
If the system is configured to prevent the loading of the firewire-core kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf.
+it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
+
+These lines can also instruct the module loading system to ignore the firewire-core kernel module via blacklist keyword.
+
Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r firewire-core /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install firewire-core /bin/true" >> /etc/modprobe.d/firewire-core.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist firewire-core$" /etc/modprobe.d/firewire-core.conf ; then
+ echo "blacklist firewire-core" >> /etc/modprobe.d/firewire-core.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled' differs:
--- old datastream
+++ new datastream
@@ -15,3 +15,21 @@
- low_severity
- medium_disruption
- reboot_required
+
+- name: Ensure kernel module 'firewire-core' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/firewire-core.conf
+ regexp: ^blacklist firewire-core$
+ line: blacklist firewire-core
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82005-0
+ - DISA-STIG-RHEL-08-040026
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_firewire-core_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
OVAL definition oval:ssg-kernel_module_rds_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_rds_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_rds_blacklisted:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,10 @@
If the system is configured to prevent the loading of the rds kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf.
+it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
+
+These lines can also instruct the module loading system to ignore the rds kernel module via blacklist keyword.
+
Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r rds /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install rds /bin/true" >> /etc/modprobe.d/rds.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist rds$" /etc/modprobe.d/rds.conf ; then
+ echo "blacklist rds" >> /etc/modprobe.d/rds.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled' differs:
--- old datastream
+++ new datastream
@@ -16,3 +16,22 @@
- low_severity
- medium_disruption
- reboot_required
+
+- name: Ensure kernel module 'rds' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/rds.conf
+ regexp: ^blacklist rds$
+ line: blacklist rds
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82870-7
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_rds_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
OVAL definition oval:ssg-kernel_module_sctp_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_sctp_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_sctp_blacklisted:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,10 @@
If the system is configured to prevent the loading of the sctp kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf.
+it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
+
+These lines can also instruct the module loading system to ignore the sctp kernel module via blacklist keyword.
+
Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install sctp /bin/true" >> /etc/modprobe.d/sctp.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist sctp$" /etc/modprobe.d/sctp.conf ; then
+ echo "blacklist sctp" >> /etc/modprobe.d/sctp.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled' differs:
--- old datastream
+++ new datastream
@@ -19,3 +19,25 @@
- medium_disruption
- medium_severity
- reboot_required
+
+- name: Ensure kernel module 'sctp' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/sctp.conf
+ regexp: ^blacklist sctp$
+ line: blacklist sctp
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80834-5
+ - CJIS-5.10.1
+ - DISA-STIG-RHEL-08-040023
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_sctp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
OVAL definition oval:ssg-kernel_module_tipc_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_tipc_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_tipc_blacklisted:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,10 @@
If the system is configured to prevent the loading of the tipc kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf.
+it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
+
+These lines can also instruct the module loading system to ignore the tipc kernel module via blacklist keyword.
+
Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install tipc /bin/true" >> /etc/modprobe.d/tipc.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist tipc$" /etc/modprobe.d/tipc.conf ; then
+ echo "blacklist tipc" >> /etc/modprobe.d/tipc.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled' differs:
--- old datastream
+++ new datastream
@@ -17,3 +17,23 @@
- low_severity
- medium_disruption
- reboot_required
+
+- name: Ensure kernel module 'tipc' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/tipc.conf
+ regexp: ^blacklist tipc$
+ line: blacklist tipc
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82297-3
+ - DISA-STIG-RHEL-08-040024
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_tipc_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
OVAL definition oval:ssg-kernel_module_bluetooth_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_bluetooth_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_bluetooth_blacklisted:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,10 @@
If the system is configured to prevent the loading of the bluetooth kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf.
+it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
+
+These lines can also instruct the module loading system to ignore the bluetooth kernel module via blacklist keyword.
+
Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install bluetooth /bin/true" >> /etc/modprobe.d/bluetooth.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist bluetooth$" /etc/modprobe.d/bluetooth.conf ; then
+ echo "blacklist bluetooth" >> /etc/modprobe.d/bluetooth.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled' differs:
--- old datastream
+++ new datastream
@@ -22,3 +22,28 @@
- medium_disruption
- medium_severity
- reboot_required
+
+- name: Ensure kernel module 'bluetooth' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/bluetooth.conf
+ regexp: ^blacklist bluetooth$
+ line: blacklist bluetooth
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80832-9
+ - CJIS-5.13.1.3
+ - DISA-STIG-RHEL-08-040111
+ - NIST-800-171-3.1.16
+ - NIST-800-53-AC-18(3)
+ - NIST-800-53-AC-18(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - disable_strategy
+ - kernel_module_bluetooth_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
OVAL definition oval:ssg-kernel_module_cfg80211_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_cfg80211_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_cfg80211_blacklisted:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,10 @@
If the system is configured to prevent the loading of the cfg80211 kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf.
+it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
+
+These lines can also instruct the module loading system to ignore the cfg80211 kernel module via blacklist keyword.
+
Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r cfg80211 /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install cfg80211 /bin/true" >> /etc/modprobe.d/cfg80211.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist cfg80211$" /etc/modprobe.d/cfg80211.conf ; then
+ echo "blacklist cfg80211" >> /etc/modprobe.d/cfg80211.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled' differs:
--- old datastream
+++ new datastream
@@ -19,3 +19,25 @@
- medium_disruption
- medium_severity
- reboot_required
+
+- name: Ensure kernel module 'cfg80211' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/cfg80211.conf
+ regexp: ^blacklist cfg80211$
+ line: blacklist cfg80211
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-18(3)
+ - NIST-800-53-AC-18(4)
+ - NIST-800-53-AC-18(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - disable_strategy
+ - kernel_module_cfg80211_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
OVAL definition oval:ssg-kernel_module_iwlmvm_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_iwlmvm_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_iwlmvm_blacklisted:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,10 @@
If the system is configured to prevent the loading of the iwlmvm kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf.
+it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
+
+These lines can also instruct the module loading system to ignore the iwlmvm kernel module via blacklist keyword.
+
Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r iwlmvm /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install iwlmvm /bin/true" >> /etc/modprobe.d/iwlmvm.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist iwlmvm$" /etc/modprobe.d/iwlmvm.conf ; then
+ echo "blacklist iwlmvm" >> /etc/modprobe.d/iwlmvm.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled' differs:
--- old datastream
+++ new datastream
@@ -19,3 +19,25 @@
- medium_disruption
- medium_severity
- reboot_required
+
+- name: Ensure kernel module 'iwlmvm' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/iwlmvm.conf
+ regexp: ^blacklist iwlmvm$
+ line: blacklist iwlmvm
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-18(3)
+ - NIST-800-53-AC-18(4)
+ - NIST-800-53-AC-18(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - disable_strategy
+ - kernel_module_iwlmvm_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
OVAL definition oval:ssg-kernel_module_iwlwifi_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_iwlwifi_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_iwlwifi_blacklisted:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,10 @@
If the system is configured to prevent the loading of the iwlwifi kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf.
+it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
+
+These lines can also instruct the module loading system to ignore the iwlwifi kernel module via blacklist keyword.
+
Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r iwlwifi /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install iwlwifi /bin/true" >> /etc/modprobe.d/iwlwifi.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist iwlwifi$" /etc/modprobe.d/iwlwifi.conf ; then
+ echo "blacklist iwlwifi" >> /etc/modprobe.d/iwlwifi.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled' differs:
--- old datastream
+++ new datastream
@@ -19,3 +19,25 @@
- medium_disruption
- medium_severity
- reboot_required
+
+- name: Ensure kernel module 'iwlwifi' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/iwlwifi.conf
+ regexp: ^blacklist iwlwifi$
+ line: blacklist iwlwifi
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-18(3)
+ - NIST-800-53-AC-18(4)
+ - NIST-800-53-AC-18(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - disable_strategy
+ - kernel_module_iwlwifi_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
OVAL definition oval:ssg-kernel_module_mac80211_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_mac80211_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_mac80211_blacklisted:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,10 @@
If the system is configured to prevent the loading of the mac80211 kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf.
+it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
+
+These lines can also instruct the module loading system to ignore the mac80211 kernel module via blacklist keyword.
+
Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r mac80211 /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install mac80211 /bin/true" >> /etc/modprobe.d/mac80211.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist mac80211$" /etc/modprobe.d/mac80211.conf ; then
+ echo "blacklist mac80211" >> /etc/modprobe.d/mac80211.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled' differs:
--- old datastream
+++ new datastream
@@ -19,3 +19,25 @@
- medium_disruption
- medium_severity
- reboot_required
+
+- name: Ensure kernel module 'mac80211' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/mac80211.conf
+ regexp: ^blacklist mac80211$
+ line: blacklist mac80211
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-53-AC-18(3)
+ - NIST-800-53-AC-18(4)
+ - NIST-800-53-AC-18(a)
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - disable_strategy
+ - kernel_module_mac80211_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
OVAL definition oval:ssg-kernel_module_cramfs_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_cramfs_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_cramfs_blacklisted:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,10 @@
If the system is configured to prevent the loading of the cramfs kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf.
+it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
+
+These lines can also instruct the module loading system to ignore the cramfs kernel module via blacklist keyword.
+
Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r cramfs /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist cramfs$" /etc/modprobe.d/cramfs.conf ; then
+ echo "blacklist cramfs" >> /etc/modprobe.d/cramfs.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled' differs:
--- old datastream
+++ new datastream
@@ -18,3 +18,24 @@
- low_severity
- medium_disruption
- reboot_required
+
+- name: Ensure kernel module 'cramfs' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/cramfs.conf
+ regexp: ^blacklist cramfs$
+ line: blacklist cramfs
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-81031-7
+ - DISA-STIG-RHEL-08-040025
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_cramfs_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
OVAL definition oval:ssg-kernel_module_freevxfs_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_freevxfs_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_freevxfs_blacklisted:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install freevxfs /bin/true" >> /etc/modprobe.d/freevxfs.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist freevxfs$" /etc/modprobe.d/freevxfs.conf ; then
+ echo "blacklist freevxfs" >> /etc/modprobe.d/freevxfs.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled' differs:
--- old datastream
+++ new datastream
@@ -16,3 +16,22 @@
- low_severity
- medium_disruption
- reboot_required
+
+- name: Ensure kernel module 'freevxfs' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/freevxfs.conf
+ regexp: ^blacklist freevxfs$
+ line: blacklist freevxfs
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_freevxfs_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
OVAL definition oval:ssg-kernel_module_hfs_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_hfs_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_hfs_blacklisted:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install hfs /bin/true" >> /etc/modprobe.d/hfs.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist hfs$" /etc/modprobe.d/hfs.conf ; then
+ echo "blacklist hfs" >> /etc/modprobe.d/hfs.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled' differs:
--- old datastream
+++ new datastream
@@ -16,3 +16,22 @@
- low_severity
- medium_disruption
- reboot_required
+
+- name: Ensure kernel module 'hfs' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/hfs.conf
+ regexp: ^blacklist hfs$
+ line: blacklist hfs
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_hfs_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
OVAL definition oval:ssg-kernel_module_hfsplus_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_hfsplus_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_hfsplus_blacklisted:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install hfsplus /bin/true" >> /etc/modprobe.d/hfsplus.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist hfsplus$" /etc/modprobe.d/hfsplus.conf ; then
+ echo "blacklist hfsplus" >> /etc/modprobe.d/hfsplus.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled' differs:
--- old datastream
+++ new datastream
@@ -16,3 +16,22 @@
- low_severity
- medium_disruption
- reboot_required
+
+- name: Ensure kernel module 'hfsplus' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/hfsplus.conf
+ regexp: ^blacklist hfsplus$
+ line: blacklist hfsplus
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_hfsplus_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
OVAL definition oval:ssg-kernel_module_jffs2_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_jffs2_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_jffs2_blacklisted:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install jffs2 /bin/true" >> /etc/modprobe.d/jffs2.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist jffs2$" /etc/modprobe.d/jffs2.conf ; then
+ echo "blacklist jffs2" >> /etc/modprobe.d/jffs2.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled' differs:
--- old datastream
+++ new datastream
@@ -16,3 +16,22 @@
- low_severity
- medium_disruption
- reboot_required
+
+- name: Ensure kernel module 'jffs2' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/jffs2.conf
+ regexp: ^blacklist jffs2$
+ line: blacklist jffs2
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_jffs2_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
OVAL definition oval:ssg-kernel_module_squashfs_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_squashfs_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_squashfs_blacklisted:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install squashfs /bin/true" >> /etc/modprobe.d/squashfs.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist squashfs$" /etc/modprobe.d/squashfs.conf ; then
+ echo "blacklist squashfs" >> /etc/modprobe.d/squashfs.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled' differs:
--- old datastream
+++ new datastream
@@ -17,3 +17,23 @@
- low_severity
- medium_disruption
- reboot_required
+
+- name: Ensure kernel module 'squashfs' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/squashfs.conf
+ regexp: ^blacklist squashfs$
+ line: blacklist squashfs
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-83498-6
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_squashfs_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
OVAL definition oval:ssg-kernel_module_udf_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_udf_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_udf_blacklisted:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install udf /bin/true" >> /etc/modprobe.d/udf.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist udf$" /etc/modprobe.d/udf.conf ; then
+ echo "blacklist udf" >> /etc/modprobe.d/udf.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled' differs:
--- old datastream
+++ new datastream
@@ -17,3 +17,23 @@
- low_severity
- medium_disruption
- reboot_required
+
+- name: Ensure kernel module 'udf' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/udf.conf
+ regexp: ^blacklist udf$
+ line: blacklist udf
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82729-5
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_udf_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
OVAL definition oval:ssg-kernel_module_usb-storage_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_usb-storage_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_usb-storage_blacklisted:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,10 @@
If the system is configured to prevent the loading of the usb-storage kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf.
+it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
+
+These lines can also instruct the module loading system to ignore the usb-storage kernel module via blacklist keyword.
+
Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d
Is it the case that no line is returned?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb-storage.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist usb-storage$" /etc/modprobe.d/usb-storage.conf ; then
+ echo "blacklist usb-storage" >> /etc/modprobe.d/usb-storage.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled' differs:
--- old datastream
+++ new datastream
@@ -19,3 +19,25 @@
- medium_disruption
- medium_severity
- reboot_required
+
+- name: Ensure kernel module 'usb-storage' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/usb-storage.conf
+ regexp: ^blacklist usb-storage$
+ line: blacklist usb-storage
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80835-2
+ - DISA-STIG-RHEL-08-040080
+ - NIST-800-171-3.1.21
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - NIST-800-53-MP-7
+ - disable_strategy
+ - kernel_module_usb-storage_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
OVAL definition oval:ssg-kernel_module_vfat_disabled:def:1 differs:
--- old datastream
+++ new datastream
- criterion oval:ssg-test_kernmod_vfat_modprobeconf:tst:1
+ criteria AND
+ criterion oval:ssg-test_kernmod_vfat_blacklisted:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_vfat_disabled' differs:
--- old datastream
+++ new datastream
@@ -9,6 +9,10 @@
echo "install vfat /bin/true" >> /etc/modprobe.d/vfat.conf
fi
+if ! LC_ALL=C grep -q -m 1 "^blacklist vfat$" /etc/modprobe.d/vfat.conf ; then
+ echo "blacklist vfat" >> /etc/modprobe.d/vfat.conf
+fi
+
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_vfat_disabled' differs:
--- old datastream
+++ new datastream
@@ -17,3 +17,23 @@
- low_severity
- medium_disruption
- reboot_required
+
+- name: Ensure kernel module 'vfat' is blacklisted
+ lineinfile:
+ create: true
+ dest: /etc/modprobe.d/vfat.conf
+ regexp: ^blacklist vfat$
+ line: blacklist vfat
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82170-2
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_vfat_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required |
Make sure the kernel module is url encoded.
This aligns the check with the remediation.
JAORMX
approved these changes
Jun 16, 2022
|
@yuumasato: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Code Climate has analyzed commit 0b7ae4a and detected 1 issue on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 42.8% (16.6% change). View more on Code Climate. |
jan-cerny
approved these changes
Jun 17, 2022
|
I wonder if RHEL9 should also be included in the jinja macros changed here. Something like: |
|
@ggbecker Feel free to submit a PR. |
marcusburghardt
added
RHEL8
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
kernel_module_disabledtemplate with DISA STIG Benchmarksinstallkeyword any moreblacklistkeyword/etc/modprobe.confin RHEL, it was deprecated.Rationale: