Skip to content

3.2.4 Ensure sctp kernel module is not available

Audit#

Run the following script to verify: - IF - the sctp kernel module is available in ANY installed kernel, verify: - An entry including /bin/true or /bin/false exists in a file within the /etc/modprobe.d/ directory - The module is deny listed in a file within the /etc/modprobe.d/ directory - The module is not loaded in the running kernel - IF - the sctp kernel module is not available on the system, or pre-compiled into the kernel, no additional configuration is necessary

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#!/usr/bin/env bash
{
a_output=() a_output2=() a_output3=() l_dl="" l_mod_name="sctp"
l_mod_type="net"
l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
f_module_chk()
{
l_dl="y" a_showconfig=()
while IFS= read -r l_showconfig; do
a_showconfig+=("$l_showconfig")
done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_chk_name//-/_}"'\b')
if ! lsmod | grep "$l_mod_chk_name" &> /dev/null; then
a_output+=(" - kernel module: \"$l_mod_name\" is not loaded")
else
a_output2+=(" - kernel module: \"$l_mod_name\" is loaded")
fi
if grep -Pq -- '\binstall\h+'"${l_mod_chk_name//-/_}"'\h+(\/usr)?\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
a_output+=(" - kernel module: \"$l_mod_name\" is not loadable")
else
a_output2+=(" - kernel module: \"$l_mod_name\" is loadable")
fi
if grep -Pq -- '\bblacklist\h+'"${l_mod_chk_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
a_output+=(" - kernel module: \"$l_mod_name\" is deny listed")
else
a_output2+=(" - kernel module: \"$l_mod_name\" is not deny listed")
fi
}
for l_mod_base_directory in $l_mod_path; do
if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A "$l_mod_base_directory/${l_mod_name/-/\/}")" ]; then
a_output3+=(" - \"$l_mod_base_directory\"")
l_mod_chk_name="$l_mod_name"
[[ "$l_mod_name" =~ overlay ]] && l_mod_chk_name="${l_mod_name::-2}"
[ "$l_dl" != "y" ] && f_module_chk
else
a_output+=(" - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\"")
fi
done
[ "${#a_output3[@]}" -gt 0 ] && printf '%s\n' "" " -- INFO --" " - module: \"$l_mod_name\" exists in:" "${a_output3[@]}"
if [ "${#a_output2[@]}" -le 0 ]; then
printf '%s\n' "" "- Audit Result:" " ** PASS **" "${a_output[@]}"
else
printf '%s\n' "" "- Audit Result:" " ** FAIL **" " - Reason(s) for audit failure:" "${a_output2[@]}"
[ "${#a_output[@]}" -gt 0 ] && printf '%s\n' "- Correctly set:" "${a_output[@]}"
fi
}

Remediation#

Run the following script to unload and disable the sctp module: - IF - the sctp kernel module is available in ANY installed kernel: - Create a file ending in .conf with install sctp /bin/false in the /etc/modprobe.d/ directory - Create a file ending in .conf with blacklist sctp in the /etc/modprobe.d/ directory - Run modprobe -r sctp 2>/dev/null; rmmod sctp 2>/dev/null to remove sctp from the kernel - IF - the sctp kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/usr/bin/env bash
{
a_output2=() a_output3=() l_dl="" l_mod_name="sctp" l_mod_type="net"
l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
f_module_fix()
{
l_dl="y" a_showconfig=()
while IFS= read -r l_showconfig; do
a_showconfig+=("$l_showconfig")
done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_chk_name//-/_}"'\b')
if lsmod | grep "$l_mod_chk_name" &> /dev/null; then
a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
modprobe -r "$l_mod_chk_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
fi
if ! grep -Pq -- '\binstall\h+'"${l_mod_chk_name//-/_}"'\h+(\/usr)?\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
a_output2+=(" - setting kernel module: \"$l_mod_name\" to
\"$(readlink -f /bin/false)\"")
printf '%s\n' "install $l_mod_chk_name $(readlink -f /bin/false)" >> /etc/modprobe.d/"$l_mod_name".conf
fi
if ! grep -Pq -- '\bblacklist\h+'"${l_mod_chk_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
printf '%s\n' "blacklist $l_mod_chk_name" >> /etc/modprobe.d/"$l_mod_name".conf
fi
}
for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A "$l_mod_base_directory/${l_mod_name/-/\/}")" ]; then
a_output3+=(" - \"$l_mod_base_directory\"")
l_mod_chk_name="$l_mod_name"
[[ "$l_mod_name" =~ overlay ]] && l_mod_chk_name="${l_mod_name::-2}"
[ "$l_dl" != "y" ] && f_module_fix
else
printf '%s\n' " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
fi
done
[ "${#a_output3[@]}" -gt 0 ] && printf '%s\n' "" " -- INFO --" " - module: \"$l_mod_name\" exists in:" "${a_output3[@]}"
[ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "" "${a_output2[@]}" || printf '%s\n' "" " - No changes needed"
printf '%s\n' "" " - remediation of kernel module: \"$l_mod_name\" complete" ""
}