Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/338720 )
Change subject: Blacklist kernel modules for DCCP protocol ...................................................................... Blacklist kernel modules for DCCP protocol DCCP isn't used anywhere in our infrastructure, so blacklist the kernel modules to reduce our attack footprint: The Linux kernel uses protocol autoloading, i.e. opening a SOCK_DCCP socket by an unprivileged user loads the kernel module. Debian disabled several other unused/experimental network protocols in local patches (like Acorn networking or RDS), but DCCP isn't covered by this so far. Via salt I found a few systems which have the dccp kernel modules loaded. However I tracked all of these down to indirect loading of inet_diag: Running ss(8) loads the inet_diag kernel module, which in turn loads dccp_diag, which loadscthe dccp kernel module. I'll manually rmmod those for completeness after merging this patch. Change-Id: I73fb11451834a0a57d659fb34cbb75e5e0462d38 --- M modules/base/files/kernel/blacklist-wmf.conf 1 file changed, 5 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/20/338720/1 diff --git a/modules/base/files/kernel/blacklist-wmf.conf b/modules/base/files/kernel/blacklist-wmf.conf index 990e83b..a8106b1 100644 --- a/modules/base/files/kernel/blacklist-wmf.conf +++ b/modules/base/files/kernel/blacklist-wmf.conf @@ -4,3 +4,8 @@ blacklist usbip-core blacklist usbip-host blacklist vhci-hcd +blacklist dccp +blacklist dccp_ipv6 +blacklist dccp_ipv4 +blacklist dccp_probe +blacklist dccp_diag -- To view, visit https://gerrit.wikimedia.org/r/338720 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I73fb11451834a0a57d659fb34cbb75e5e0462d38 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff <[email protected]> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
