3.2.4 Ensure sctp kernel module is not available

Information

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.

-IF- the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.

Solution

Run the following script to disable the sctp module:

-IF- the module is available in the running kernel:

- Create a file with install sctp /bin/false in the /etc/modprobe.d/ directory
- Create a file with blacklist sctp in the /etc/modprobe.d/ directory
- Unload sctp from the kernel

-IF- available in ANY installed kernel:

- Create a file with blacklist sctp in the /etc/modprobe.d/ directory

-IF- the kernel module is not available on the system or pre-compiled into the kernel:

- No remediation is necessary

#!/usr/bin/env bash

{
l_mname="sctp" # set module name
l_mtype="net" # set module type
l_mpath="/lib/modules/**/kernel/$l_mtype"
l_mpname="$(tr '-' '_' <<< "$l_mname")"
l_mndir="$(tr '-' '/' <<< "$l_mname")"

module_loadable_fix()
{
# If the module is currently loadable, add "install {MODULE_NAME} /bin/false" to a file in "/etc/modprobe.d"
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] &amp;&amp; l_loadable="$(grep -P -- "(^h*install|b$l_mname)b" <<< "$l_loadable")"
if ! grep -Pq -- '^h*install /bin/(true|false)' <<< "$l_loadable"; then
echo -e "
- setting module: \"$l_mname\" to be not loadable"
echo -e "install $l_mname /bin/false" >> /etc/modprobe.d/"$l_mpname".conf
fi
}
module_loaded_fix()
{
# If the module is currently loaded, unload the module
if lsmod | grep "$l_mname" > /dev/null 2>&amp;1; then
echo -e "
- unloading module \"$l_mname\""
modprobe -r "$l_mname"
fi
}
module_deny_fix()
{
# If the module isn't deny listed, denylist the module
if ! modprobe --showconfig | grep -Pq -- "^h*blacklisth+$l_mpnameb"; then
echo -e "
- deny listing \"$l_mname\""
echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mpname".conf
fi
}
# Check if the module exists on the system
for l_mdir in $l_mpath; do
if [ -d "$l_mdir/$l_mndir" ] &amp;&amp; [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
echo -e "
- module: \"$l_mname\" exists in \"$l_mdir\"
- checking if disabled..."
module_deny_fix
if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
module_loadable_fix
module_loaded_fix
fi
else
echo -e "
- module: \"$l_mname\" doesn't exist in \"$l_mdir\"
"
fi
done
echo -e "
- remediation of module: \"$l_mname\" complete
"
}

See Also

https://workbench.cisecurity.org/benchmarks/15289

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 7f1df2cd3ce77edfd075462876773c3885ba03937e3e73376cb515a9a252b363