search

ComplianceAsCode / community

This repository is for management of all ComplianceAsCode community related initiatives.
Apache License 2.0
2 stars 0 forks source link

RHEL 7 STIG Update - RHEL-07-020101 - Rule Update #45

Closed mrabe142 closed 5 years ago

mrabe142 commented 6 years ago

As part of the latest RHEL 7 STIG update referenced in https://github.com/ComplianceAsCode/content/issues/3370, a rule has been updated in the current version. Information about the rule change is outlined below:

Rule Metadata

Red Hat Enterprise Linux 7 Security Technical Implementation Guide :: Release: 1 Benchmark Date: 27 Jul 2018 Vuln ID: V-77821 Rule ID: SV-92517r2_rule STIG ID: RHEL-07-020101
Severity: CAT II Check Reference: M Classification: Unclass

New Rule Title

Rule Title: The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required.

Previous Fix Content

Fix Text: Configure the operating system to disable the ability to use the DCCP kernel module.

Create a file under "/etc/modprobe.d" with the following command:

# touch /etc/modprobe.d/nodccp

Add the following line to the created file:

install dccp /bin/true

New Fix Content

Fix Text: Configure the operating system to disable the ability to use the DCCP kernel module.

Create a file under "/etc/modprobe.d" with the following command:

# touch /etc/modprobe.d/dccp.conf

Add the following line to the created file:

install dccp /bin/true

Ensure that the DCCP module is blacklisted:

# vi /etc/modprobe.d/blacklist.conf

Add or update the line:

blacklist dccp

Noted Differences

Related Tickets This update may address the following issues: https://github.com/ComplianceAsCode/content/issues/3342

redhatrises commented 5 years ago

DISA's fix text is wrong and needs to be updated. Docs can be found here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/blacklisting_a_module

Specifically: The |blacklist/<module_name>/| command, however, does not prevent the module from being loaded manually, or from being loaded as a dependency for another kernel module that is not blacklisted. To ensure that a module cannot be loaded on the system at all, modify the specified configuration file in the |/etc/modprobe.d/| directory as root with the following line: |install /<module_name>//bin/true| Bash

shawndwells commented 5 years ago

This has been explained to DISA several times, and keeps getting reintroduced.

tedbrunell commented 5 years ago

DISA fix text does in fact include the line "install dccp /bin/true" - as stated when the issue was opened. The line is put into the file /etc/modprobe.d/dccp.conf. It also lists the module in blacklist.conf - no harm putting it there.

Closing this issue.