Detections
Analytics

3.2.5 Ensure atm kernel module is not available

Information

The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. Disabling ATM protects the system against exploitation of any laws in its implementation.

It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Failing to disconnect unused protocols can result in a system compromise.

Solution

Run the following script to unload and disable the atm module:

- IF - the atm kernel module is available in ANY installed kernel:

 - Create a file ending in .conf with install atm /bin/false in the /etc/modprobe.d/ directory
 - Create a file ending in .conf with blacklist atm in the /etc/modprobe.d/ directory
 - Run modprobe -r atm 2>/dev/null; rmmod atm 2>/dev/null to remove atm from the kernel

- IF - the atm kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary

#!/usr/bin/env bash

{
 a_output2=() a_output3=() l_dl="" l_mod_name="atm" l_mod_type="net"
 l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
 f_module_fix()
 {
 l_dl="y" a_showconfig=()
 while IFS= read -r l_showconfig; do
 a_showconfig+=("$l_showconfig")
 done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_chk_name//-/_}"'\b')
 if lsmod | grep "$l_mod_chk_name" &> /dev/null; then
 a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
 modprobe -r "$l_mod_chk_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
 fi
 if ! grep -Pq -- '\binstall\h+'"${l_mod_chk_name//-/_}"'\h+(\/usr)?\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
 a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"$(readlink -f /bin/false)\"")
 printf '%s\n' "install $l_mod_chk_name $(readlink -f /bin/false)" >> /etc/modprobe.d/"$l_mod_name".conf
 fi
 if ! grep -Pq -- '\bblacklist\h+'"${l_mod_chk_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
 a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
 printf '%s\n' "blacklist $l_mod_chk_name" >> /etc/modprobe.d/"$l_mod_name".conf
 fi
 }
 for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
 if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A "$l_mod_base_directory/${l_mod_name/-/\/}")" ]; then
 a_output3+=(" - \"$l_mod_base_directory\"")
 l_mod_chk_name="$l_mod_name"
 [[ "$l_mod_name" =~ overlay ]] && l_mod_chk_name="${l_mod_name::-2}"
 [ "$l_dl" != "y" ] && f_module_fix
 else
 printf '%s\n' " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
 fi
 done
 [ "${#a_output3[@]}" -gt 0 ] && printf '%s\n' "" " -- INFO --" " - module: \"$l_mod_name\" exists in:" "${a_output3[@]}"
 [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "" "${a_output2[@]}" || printf '%s\n' "" " - No changes needed"
 printf '%s\n' "" " - remediation of kernel module: \"$l_mod_name\" complete" ""
}

Reboot the system for the settings to take effect.

See Also

https://workbench.cisecurity.org/benchmarks/19886

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, 800-53|CM-7a., CAT|III, CSCv7|9.2, Rule-ID|SV-230494r942918_rule, Vuln-ID|V-230494

Plugin: Unix

Control ID: f9abfa3c3c3bd922bc9708207710e50767f9c98656329911874b33fd71a5511d