Red Hat 5 STIG: Kernel Modules

Monday, August 29, 2011

Jamie Adams


In the last few years, I've seen organizations extending the concept of least privilege to least installed or running.

I have written about minimizing a system's attack surface by removing unnecessary software and turning off as many unused features as possible.

The draft release of the U.S. Defense Information Systems Agency's (DISA) “Red Hat 5 STIG” is no exception. I love it when security guidelines make these suggestions but it can be frustrating when assessment scanners report false-positives.

For example, some scanners will report a failure if it can't find a setting in a configuration file for software which isn't even installed on the system.

The new draft STIG requires entries in a configuration file to prevent the kernel from loading modules – even if the modules aren't installed on the system. Nonetheless, I have compiled a list of the required settings which must be set in your modprobe.conf configuration file.

First of all, the STIG requires the loading and removing of kernel modules be recorded by the auditing subsystem (GEN002825). The system calls (-S) init_module and delete_module are tracked and watches (-w) are placed on some command line utilities. Add the following rules to your audit.rules file:

-a always,exit -S init_module -S delete_module -k modules
-w /sbin/insmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /sbin/rmmod -p x -k modules

Unless your system has a specific need for the following networking related modules, they shouldn't be loaded into the kernel. These modules aren't installed in a default Red Hat Enterprise Linux installation but you'll still need to implicitly add entries in modprobe.conf file:

  • Network Bridging (GEN003619)

If you don't use IPv6, it is recommended you disable support for it (GEN007700) and you should configure the system to prevent dynamic loading of the IPv6 protocol handler (GEN007720).

Additionally, the guideline recommends disabling support for Bluetooth, USB storage devices, and Firewire:

To prevent the loading of the aforementioned modules and network modules, add the following to your /etc/modprobe.conf file:

# Network related
install bridge /bin/false
install sctp /bin/true
install dccp /bin/true
install dccp_ipv4 /bin/true
install dccp_ipv6 /bin/true
install rds /bin/true
install tipc /bin/true
install bluetooth /bin/true

# IPv6
alias net-pf-10 off
alias ipv6 off
install ipv6 /bin/true

# USB and Firewire
install usb-storage /bin/true
install ieee1394 /bin/true

Section of the National Security Agency's “Guide to the Secure Configuration of Red Hat Enterprise Linux 5” also recommends not loading kernel modules for uncommon filesystem types:

install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true

My suggestion is always remove unused software, however many auditors will probably still want to see the implicit setting in the modprobe.conf file.

Cross posted from Security Blanket Technical Blog

Possibly Related Articles:
Information Security
Network Security Guidelines IPv6 STIG DISA Red Hat
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.