UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Bluetooth kernel module must be disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-38682 RHEL-06-000315 SV-50483r5_rule Medium
Description
If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.
STIG Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2017-12-08

Details

Check Text ( C-46244r5_chk )
If the system is configured to prevent the loading of the "bluetooth" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":

$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true”| grep -v “#”

If no line is returned, this is a finding.

If the system is configured to prevent the loading of the "net-pf-31" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":

$ grep -r net-pf-31 /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true” | grep -v “#”

If no line is returned, this is a finding.
Fix Text (F-43631r3_fix)
The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate "/etc/modprobe.d" configuration file to prevent the loading of the Bluetooth module:

install net-pf-31 /bin/true
install bluetooth /bin/true