Detections
Analytics

3.2.1 Ensure dccp kernel module is not available

Information

The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery.

Rationale:

-IF- the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.

Solution

Run the following script to disable the dccp module:
-IF- the module is available in the running kernel:

Create a file with install dccp /bin/false in the /etc/modprobe.d/ directory

Create a file with blacklist dccp in the /etc/modprobe.d/ directory

Unload dccp from the kernel

-IF- available in ANY installed kernel:

Create a file with blacklist dccp in the /etc/modprobe.d/ directory

-IF- the kernel module is not available on the system or pre-compiled into the kernel:

No remediation is necessary

#!/usr/bin/env bash

{
 l_mname='dccp' # set module name
 l_mtype='net' # set module type
 l_mpath='/lib/modules/**/kernel/$l_mtype'
 l_mpname='$(tr '-' '_' <<< '$l_mname')'
 l_mndir='$(tr '-' '/' <<< '$l_mname')'

 module_loadable_fix()
 {
 # If the module is currently loadable, add 'install {MODULE_NAME} /bin/false' to a file in '/etc/modprobe.d'
 l_loadable='$(modprobe -n -v '$l_mname')'
 [ '$(wc -l <<< '$l_loadable')' -gt '1' ] && l_loadable='$(grep -P -- '(^h*install|b$l_mname)b' <<< '$l_loadable')'
 if ! grep -Pq -- '^h*install /bin/(true|false)' <<< '$l_loadable'; then
 echo -e '
 - setting module: '$l_mname' to be not loadable'
 echo -e 'install $l_mname /bin/false' >> /etc/modprobe.d/'$l_mpname'.conf
 fi
 }
 module_loaded_fix()
 {
 # If the module is currently loaded, unload the module
 if lsmod | grep '$l_mname' > /dev/null 2>&1; then
 echo -e '
 - unloading module '$l_mname''
 modprobe -r '$l_mname'
 fi
 }
 module_deny_fix()
 {
 # If the module isn't deny listed, denylist the module
 if ! modprobe --showconfig | grep -Pq -- '^h*blacklisth+$l_mpnameb'; then
 echo -e '
 - deny listing '$l_mname''
 echo -e 'blacklist $l_mname' >> /etc/modprobe.d/'$l_mpname'.conf
 fi
 }
 # Check if the module exists on the system
 for l_mdir in $l_mpath; do
 if [ -d '$l_mdir/$l_mndir' ] && [ -n '$(ls -A $l_mdir/$l_mndir)' ]; then
 echo -e '
 - module: '$l_mname' exists in '$l_mdir'
 - checking if disabled...'
 module_deny_fix
 if [ '$l_mdir' = '/lib/modules/$(uname -r)/kernel/$l_mtype' ]; then
 module_loadable_fix
 module_loaded_fix
 fi
 else
 echo -e '
 - module: '$l_mname' doesn't exist in '$l_mdir'
'
 fi
 done
 echo -e '
 - remediation of module: '$l_mname' complete
'
}

See Also

https://workbench.cisecurity.org/benchmarks/15288

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 0e6f1f0484dc512afa8093ef1250761816c3204d64d0942a2b39e35c8dceb83a