A number of the kernel modules that need to be disabled have
inconsistent guidance and tests. The guidance says to add a file in
/etc/modprobe.d/ with the content:
"install <module> /bin/true"
However, the actual check in the scan tests for:
"install <module> /bin/false"
This is a list of the ones I found:
$ cd scap-security-guide/RHEL6/dist/content
$ grep -h install * | grep -E
"rds|ticp|usb-storage|cramfs|freevsfs|jffs2|hfs|hfsplus|squashfs|udf|dccp|sctp"
| grep -E "true|false"
<ind:pattern operation="pattern
match">^\s*install\s+hfs\s+/bin/false$</ind:pattern>
<ind:pattern operation="pattern
match">^\s*install\s+sctp\s+/bin/false$</ind:pattern>
<ind:pattern operation="pattern
match">^\s*install\s+rds\s+/bin/false$</ind:pattern>
<ind:pattern operation="pattern
match">^\s*install\s+jffs2\s+/bin/false$</ind:pattern>
<ind:pattern operation="pattern
match">^\s*install\s+cramfs\s+/bin/false$</ind:pattern>
<ind:pattern operation="pattern
match">^\s*install\s+dccp\s+/bin/false$</ind:pattern>
<ind:pattern operation="pattern
match">^\s*install\s+udf\s+/bin/false$</ind:pattern>
<ind:pattern operation="pattern
match">^\s*install\s+hfsplus\s+/bin/false$</ind:pattern>
<ind:pattern operation="pattern
match">^\s*install\s+squashfs\s+/bin/false$</ind:pattern>
<ind:pattern operation="pattern
match">^\s*install\s+usb-storage\s+/bin/false$</ind:pattern>
<xhtml:pre xml:space="preserve">install usb-storage /bin/true</xhtml:pre>
<xhtml:pre xml:space="preserve">install cramfs /bin/true</xhtml:pre>
<xhtml:pre xml:space="preserve">install freevsfs /bin/true</xhtml:pre>
<xhtml:pre xml:space="preserve">install jffs2 /bin/true</xhtml:pre>
<xhtml:pre xml:space="preserve">install hfs /bin/true</xhtml:pre>
<xhtml:pre xml:space="preserve">install hfsplus /bin/true</xhtml:pre>
<xhtml:pre xml:space="preserve">install squashfs /bin/true</xhtml:pre>
<xhtml:pre xml:space="preserve">install udf /bin/true</xhtml:pre>
<xhtml:pre xml:space="preserve">install dccp /bin/true</xhtml:pre>
<xhtml:pre xml:space="preserve">install sctp /bin/true</xhtml:pre>
<xhtml:pre xml:space="preserve">install rds /bin/true</xhtml:pre>
Either /bin/true or /bin/false should work to disable the modules.
Setting our files to /bin/false causes the scans to pass right now.
Thanks,
Philip
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
