File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (43 lines) | stat: -rw-r--r-- 1,309 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
documentation_complete: true


title: 'Disable loading and unloading of kernel modules'

description: '{{{ describe_sysctl_option_value(sysctl="kernel.modules_disabled", value="1") }}}'

rationale: |-
    Malicious kernel modules can have a significant impact on system security and
    availability. Disabling loading of kernel modules prevents this threat. Note
    that once this option has been set, it cannot be reverted without doing a
    system reboot. Make sure that all needed kernel modules are loaded before
    setting this option.

severity: medium

identifiers:
    cce@rhel8: CCE-83397-0
    cce@rhel9: CCE-83967-0
    cce@rhel10: CCE-87060-0
    cce@sle12: CCE-91566-0
    cce@sle15: CCE-91256-8

{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.modules_disabled", value="1") }}}

platform: system_with_kernel

warnings:
  - general:
      This rule doesn't come with remediation.
      Remediating this rule during the installation process disrupts the install and boot process.

template:
    name: sysctl
    vars:
        sysctlvar: kernel.modules_disabled
        sysctlval: '1'
        datatype: int
        no_remediation: true
    backends:
        # Automated remediation of this rule during installations disrupts the first boot
        bash: 'off'
        ansible: 'off'