3.2.3 Ensure rds kernel module is not available

Information

The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.

-IF- the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.

Solution

Run the following script to disable the rds module:

-IF- the module is available in the running kernel:

- Create a file with install rds /bin/false in the /etc/modprobe.d/ directory
- Create a file with blacklist rds in the /etc/modprobe.d/ directory
- Unload rds from the kernel

-IF- available in ANY installed kernel:

- Create a file with blacklist rds in the /etc/modprobe.d/ directory

-IF- the kernel module is not available on the system or pre-compiled into the kernel:

- No remediation is necessary

#!/usr/bin/env bash

{
l_mname="rds" # set module name
l_mtype="net" # set module type
l_mpath="/lib/modules/**/kernel/$l_mtype"
l_mpname="$(tr '-' '_' <<< "$l_mname")"
l_mndir="$(tr '-' '/' <<< "$l_mname")"

module_loadable_fix()
{
# If the module is currently loadable, add "install {MODULE_NAME} /bin/false" to a file in "/etc/modprobe.d"
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] &amp;&amp; l_loadable="$(grep -P -- "(^h*install|b$l_mname)b" <<< "$l_loadable")"
if ! grep -Pq -- '^h*install /bin/(true|false)' <<< "$l_loadable"; then
echo -e "
- setting module: \"$l_mname\" to be not loadable"
echo -e "install $l_mname /bin/false" >> /etc/modprobe.d/"$l_mpname".conf
fi
}
module_loaded_fix()
{
# If the module is currently loaded, unload the module
if lsmod | grep "$l_mname" > /dev/null 2>&amp;1; then
echo -e "
- unloading module \"$l_mname\""
modprobe -r "$l_mname"
fi
}
module_deny_fix()
{
# If the module isn't deny listed, denylist the module
if ! modprobe --showconfig | grep -Pq -- "^h*blacklisth+$l_mpnameb"; then
echo -e "
- deny listing \"$l_mname\""
echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mpname".conf
fi
}
# Check if the module exists on the system
for l_mdir in $l_mpath; do
if [ -d "$l_mdir/$l_mndir" ] &amp;&amp; [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
echo -e "
- module: \"$l_mname\" exists in \"$l_mdir\"
- checking if disabled..."
module_deny_fix
if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
module_loadable_fix
module_loaded_fix
fi
else
echo -e "
- module: \"$l_mname\" doesn't exist in \"$l_mdir\"
"
fi
done
echo -e "
- remediation of module: \"$l_mname\" complete
"
}

See Also

https://workbench.cisecurity.org/benchmarks/15023

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 704e53c8f9c9f6f2844cb4d7861ca871d5c445067f1be2405eab5540f365051b