Detections
Analytics

3.2.4 Ensure sctp kernel module is not available

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.

-IF- the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.

Solution

Run the following script to disable the sctp module:

-IF- the module is available in the running kernel:

 - Create a file with install sctp /bin/false in the /etc/modprobe.d/ directory
 - Create a file with blacklist sctp in the /etc/modprobe.d/ directory
 - Unload sctp from the kernel

-IF- available in ANY installed kernel:

 - Create a file with blacklist sctp in the /etc/modprobe.d/ directory

-IF- the kernel module is not available on the system or pre-compiled into the kernel:

 - No remediation is necessary

#!/usr/bin/env bash

{
 l_mname="sctp" # set module name
 l_mtype="net" # set module type
 l_mpath="/lib/modules/**/kernel/$l_mtype"
 l_mpname="$(tr '-' '_' <<< "$l_mname")"
 l_mndir="$(tr '-' '/' <<< "$l_mname")"

 module_loadable_fix()
 {
 # If the module is currently loadable, add "install {MODULE_NAME} /bin/false" to a file in "/etc/modprobe.d"
 l_loadable="$(modprobe -n -v "$l_mname")"
 [ "$(wc -l <<< "$l_loadable")" -gt "1" ] &amp;&amp; l_loadable="$(grep -P -- "(^h*install|b$l_mname)b" <<< "$l_loadable")"
 if ! grep -Pq -- '^h*install /bin/(true|false)' <<< "$l_loadable"; then
 echo -e "
 - setting module: \"$l_mname\" to be not loadable"
 echo -e "install $l_mname /bin/false" >> /etc/modprobe.d/"$l_mpname".conf
 fi
 }
 module_loaded_fix()
 {
 # If the module is currently loaded, unload the module
 if lsmod | grep "$l_mname" > /dev/null 2>&amp;1; then
 echo -e "
 - unloading module \"$l_mname\""
 modprobe -r "$l_mname"
 fi
 }
 module_deny_fix()
 {
 # If the module isn't deny listed, denylist the module
 if ! modprobe --showconfig | grep -Pq -- "^h*blacklisth+$l_mpnameb"; then
 echo -e "
 - deny listing \"$l_mname\""
 echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mpname".conf
 fi
 }
 # Check if the module exists on the system
 for l_mdir in $l_mpath; do
 if [ -d "$l_mdir/$l_mndir" ] &amp;&amp; [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
 echo -e "
 - module: \"$l_mname\" exists in \"$l_mdir\"
 - checking if disabled..."
 module_deny_fix
 if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
 module_loadable_fix
 module_loaded_fix
 fi
 else
 echo -e "
 - module: \"$l_mname\" doesn't exist in \"$l_mdir\"
"
 fi
 done
 echo -e "
 - remediation of module: \"$l_mname\" complete
"
}

See Also

https://workbench.cisecurity.org/benchmarks/17331

Item Details

References: CSCv7|9.2

Plugin: Unix

Control ID: f7fda76562c0563562f9894146569e18ac89fc2e34b906830696ad57a5f74e5e