3.4.3 Ensure RDS is disabled - modprobe

Information

The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.

Rationale:

If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.

Solution

Run the following script to disable rds:

#!/usr/bin/env bash

{
l_mname='rds' # set module name
if ! modprobe -n -v '$l_mname' | grep -P -- '^h*install /bin/(true|false)'; then
echo -e ' - setting module: '$l_mname' to be not loadable'
echo -e 'install $l_mname /bin/false' >> /etc/modprobe.d/'$l_mname'.conf
fi
if lsmod | grep '$l_mname' > /dev/null 2>&1; then
echo -e ' - unloading module '$l_mname''
modprobe -r '$l_mname'
fi
if ! grep -Pq -- '^h*blacklisth+$l_mnameb' /etc/modprobe.d/*; then
echo -e ' - deny listing '$l_mname''
echo -e 'blacklist $l_mname' >> /etc/modprobe.d/'$l_mname'.conf
fi
}

See Also

https://workbench.cisecurity.org/files/4068

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 69c5b4beaa86a45ae9bc65454303197d18aa7ed5717a411c7834c069cd231f15