Detections
Analytics

3.2.4 Ensure sctp kernel module is not available

Information

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.

- IF - the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.

Solution

Run the following script to unload and disable the sctp module:

- IF - the sctp kernel module is available in ANY installed kernel:

 - Create a file ending inconf with install sctp /bin/false in the /etc/modprobe.d/ directory
 - Create a file ending inconf with blacklist sctp in the /etc/modprobe.d/ directory
 - Run modprobe -r sctp 2>/dev/null; rmmod sctp 2>/dev/null to remove sctp from the kernel

- IF - the sctp kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary

#!/usr/bin/env bash

{
 unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
 l_mod_name="sctp" # set module name
 l_mod_type="net" # set module type
 l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
 f_module_fix()
 {
 l_dl="y" # Set to ignore duplicate checks
 a_showconfig=() # Create array with modprobe output
 while IFS= read -r l_showconfig; do
 a_showconfig+=("$l_showconfig")
 done < <(modprobe --showconfig | grep -P -- 'b(install|blacklist)h+'"${l_mod_name//-/_}"'b')
 if lsmod | grep "$l_mod_name" &amp;> /dev/null; then # Check if the module is currently loaded
 a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
 modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
 fi
 if ! grep -Pq -- 'binstallh+'"${l_mod_name//-/_}"'h+/bin/(true|false)b' <<< "${a_showconfig[*]}"; then
 a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
 printf '%s
' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
 fi
 if ! grep -Pq -- 'bblacklisth+'"${l_mod_name//-/_}"'b' <<< "${a_showconfig[*]}"; then
 a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
 printf '%s
' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
 fi
 }
 for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
 if [ -d "$l_mod_base_directory/${l_mod_name/-//}" ] &amp;&amp; [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-//})" ]; then
 l_output3="$l_output3
 - \"$l_mod_base_directory\""
 [[ "$l_mod_name" =~ overlay ]] &amp;&amp; l_mod_name="${l_mod_name::-2}"
 [ "$l_dl" != "y" ] &amp;&amp; f_module_fix
 else
 echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
 fi
 done
 [ -n "$l_output3" ] &amp;&amp; echo -e "

 -- INFO --
 - module: \"$l_mod_name\" exists in:$l_output3"
 [ "${#a_output2[@]}" -gt 0 ] &amp;&amp; printf '%s
' "${a_output2[@]}"
 echo -e "
 - remediation of kernel module: \"$l_mod_name\" complete
"
}

See Also

https://workbench.cisecurity.org/benchmarks/18208

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 0c1e70fb2bc0384e32a95ed2ba841f9fdb3b437d6e4a5fc19f1aadffb9f6b60b