3.2.3 Ensure dccp kernel module is not available

Information

The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.

Removing support for unneeded protocols reduces the local attack surface of the system. If this protocol is not needed, disable it.

Solution

Unload and disable the dccp kernel module.

- Run the following commands to unload the dccp kernel module:

# modprobe -r dccp 2>/dev/null
# rmmod dccp 2>/dev/null
- Perform the following to disable the dccp kernel module:

Create a file ending in .conf with install dccp /bin/false in the /etc/modprobe.d/ directory

Example:

# printf '\n%s\n' "install dccp /bin/false" >> /etc/modprobe.d/60-dccp.conf

Create a file ending in .conf with blacklist dccp in the /etc/modprobe.d/ directory

Example:

# printf '\n%s\n' "blacklist dccp" >> /etc/modprobe.d/60-dccp.conf

See Also

https://workbench.cisecurity.org/benchmarks/23598

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 3069744804fa0dc2ecf3ce5d50b1c0ba1a46afe0e0ab7efa514ac909222dd113