UCF STIG Viewer Logo

The Photon operating system must disable the loading of unnecessary kernel modules.


Overview

Finding ID Version Rule ID IA Controls Severity
V-239105 PHTN-67-000033 SV-239105r675123_rule Medium
Description
To support the requirements and principles of least functionality, the operating system must provide only essential capabilities and limit the use of modules, protocols, and/or services to only those required for the proper functioning of the product. Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000114-GPOS-00059
STIG Date
VMware vSphere 6.7 Photon OS Security Technical Implementation Guide 2021-04-15

Details

Check Text ( C-42316r675121_chk )
At the command line, execute the following command:

# modprobe --showconfig | grep "^install" | grep "/bin"

Expected result:

install sctp /bin/false
install dccp /bin/false
install dccp_ipv4 /bin/false
install dccp_ipv6 /bin/false
install ipx /bin/false
install appletalk /bin/false
install decnet /bin/false
install rds /bin/false
install tipc /bin/false
install bluetooth /bin/false
install usb-storage /bin/false
install ieee1394 /bin/false
install cramfs /bin/false
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install squashfs /bin/false
install udf /bin/false

If the output does not match the expected result, this is a finding.
Fix Text (F-42275r675122_fix)
Open /etc/modprobe.d/modprobe.conf with a text editor and set the contents as follows:

install sctp /bin/false
install dccp /bin/false
install dccp_ipv4 /bin/false
install dccp_ipv6 /bin/false
install ipx /bin/false
install appletalk /bin/false
install decnet /bin/false
install rds /bin/false
install tipc /bin/false
install bluetooth /bin/false
install usb-storage /bin/false
install ieee1394 /bin/false
install cramfs /bin/false
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install squashfs /bin/false
install udf /bin/false