Detections
Analytics

3.2.1 Ensure dccp kernel module is not available

Information

The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.

-IF- the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.

Solution

Run the following script to disable the dccp module:

-IF- the module is available in the running kernel:

 - Create a file with install dccp /bin/false in the /etc/modprobe.d/ directory
 - Create a file with blacklist dccp in the /etc/modprobe.d/ directory
 - Unload dccp from the kernel

-IF- available in ANY installed kernel:

 - Create a file with blacklist dccp in the /etc/modprobe.d/ directory

-IF- the kernel module is not available on the system or pre-compiled into the kernel:

 - No remediation is necessary

#!/usr/bin/env bash

{
 l_mname="dccp" # set module name
 l_mtype="net" # set module type
 l_mpath="/lib/modules/**/kernel/$l_mtype"
 l_mpname="$(tr '-' '_' <<< "$l_mname")"
 l_mndir="$(tr '-' '/' <<< "$l_mname")"

 module_loadable_fix()
 {
 # If the module is currently loadable, add "install {MODULE_NAME} /bin/false" to a file in "/etc/modprobe.d"
 l_loadable="$(modprobe -n -v "$l_mname")"
 [ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^h*install|b$l_mname)b" <<< "$l_loadable")"
 if ! grep -Pq -- '^h*install /bin/(true|false)' <<< "$l_loadable"; then
 echo -e "
 - setting module: \"$l_mname\" to be not loadable"
 echo -e "install $l_mname /bin/false" >> /etc/modprobe.d/"$l_mpname".conf
 fi
 }
 module_loaded_fix()
 {
 # If the module is currently loaded, unload the module
 if lsmod | grep "$l_mname" > /dev/null 2>&1; then
 echo -e "
 - unloading module \"$l_mname\""
 modprobe -r "$l_mname"
 fi
 }
 module_deny_fix()
 {
 # If the module isn't deny listed, denylist the module
 if ! modprobe --showconfig | grep -Pq -- "^h*blacklisth+$l_mpnameb"; then
 echo -e "
 - deny listing \"$l_mname\""
 echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mpname".conf
 fi
 }
 # Check if the module exists on the system
 for l_mdir in $l_mpath; do
 if [ -d "$l_mdir/$l_mndir" ] && [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
 echo -e "
 - module: \"$l_mname\" exists in \"$l_mdir\"
 - checking if disabled..."
 module_deny_fix
 if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
 module_loadable_fix
 module_loaded_fix
 fi
 else
 echo -e "
 - module: \"$l_mname\" doesn't exist in \"$l_mdir\"
"
 fi
 done
 echo -e "
 - remediation of module: \"$l_mname\" complete
"
}

See Also

https://workbench.cisecurity.org/benchmarks/15963

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 6054fe7af9754d2f1ad818c9d8443df2da4dfc43124c8a901824b5344e5b56d0