Information
Wireless networking is used when wired networks are unavailable.
Rationale:
If wireless is not to be used, wireless devices should be disabled to reduce the potential attack surface.
Impact:
Many if not all laptop workstations and some desktop workstations will connect via wireless requiring these interfaces be enabled.
Solution
Run the following script to disable any wireless interfaces:
#!/usr/bin/env bash
{
module_fix()
{
if ! modprobe -n -v '$l_mname' | grep -P -- '^h*install /bin/(true|false)'; then
echo -e ' - setting module: '$l_mname' to be un-loadable'
echo -e 'install $l_mname /bin/false' >> /etc/modprobe.d/'$l_mname'.conf
fi
if lsmod | grep '$l_mname' > /dev/null 2>&1; then
echo -e ' - unloading module '$l_mname''
modprobe -r '$l_mname'
fi
if ! grep -Pq -- '^h*blacklisth+$l_mnameb' /etc/modprobe.d/*; then
echo -e ' - deny listing '$l_mname''
echo -e 'blacklist $l_mname' >> /etc/modprobe.d/'$l_mname'.conf
fi
}
if [ -n '$(find /sys/class/net/*/ -type d -name wireless)' ]; then
l_dname=$(for driverdir in $(find /sys/class/net/*/ -type d -name wireless | xargs -0 dirname); do basename '$(readlink -f '$driverdir'/device/driver/module)';done | sort -u)
for l_mname in $l_dname; do
module_fix
done
fi
}
Additional Information:
NIST SP 800-53 Rev. 5:
CM-7