The Photon operating system must disable the loading of unnecessary kernel modules.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-256509 | SRG-OS-000096-GPOS-00050 | PHTN-30-000032 | SV-256509r958480_rule | 2024-12-16 | 1 |
Description
To support the requirements and principles of least functionality, the operating system must provide only essential capabilities and limit the use of modules, protocols, and/or services to only those required for the proper functioning of the product.
Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000114-GPOS-00059
ℹ️ Check
At the command line, run the following command:
# modprobe --showconfig | grep "^install" | grep "/bin"
Expected result:
install sctp /bin/false
install dccp /bin/false
install dccp_ipv4 /bin/false
install dccp_ipv6 /bin/false
install ipx /bin/false
install appletalk /bin/false
install decnet /bin/false
install rds /bin/false
install tipc /bin/false
install bluetooth /bin/false
install usb_storage /bin/false
install ieee1394 /bin/false
install cramfs /bin/false
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install squashfs /bin/false
install udf /bin/false
The output may include other statements outside of the expected result.
If the output does not include at least every statement in the expected result, this is a finding.
✔️ Fix
Navigate to and open:
/etc/modprobe.d/modprobe.conf
Set the contents as follows:
install sctp /bin/false
install dccp /bin/false
install dccp_ipv4 /bin/false
install dccp_ipv6 /bin/false
install ipx /bin/false
install appletalk /bin/false
install decnet /bin/false
install rds /bin/false
install tipc /bin/false
install bluetooth /bin/false
install usb_storage /bin/false
install ieee1394 /bin/false
install cramfs /bin/false
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install squashfs /bin/false
install udf /bin/false