3.2.6 Ensure tipc kernel module is not available

Information

The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.

Removing support for unneeded protocols reduces the local attack surface of the system. If this protocol is not needed, disable it.

Solution

Unload and disable the tipc kernel module.

- Run the following commands to unload the tipc kernel module:

# modprobe -r tipc 2>/dev/null
# rmmod tipc 2>/dev/null
- Perform the following to disable the tipc kernel module:

Create a file ending in .conf with install tipc /bin/false in the /etc/modprobe.d/ directory

Example:

# printf '\n%s\n' "install tipc /bin/false" >> /etc/modprobe.d/60-tipc.conf

Create a file ending in .conf with blacklist tipc in the /etc/modprobe.d/ directory

Example:

# printf '\n%s\n' "blacklist tipc" >> /etc/modprobe.d/60-tipc.conf

See Also

https://workbench.cisecurity.org/benchmarks/23598

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 80590cfeb851985ec8917ccaee4c225f5d93a05b81dae2cc18d577955162e2ba