Improve CIS SCTP kernel module check #3564
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
stmcginnis
changed the title
bcressey
approved these changes
Nov 3, 2023
The level 2 check 3.3.1 verifies the sctp kernel module is disabled. The current check for whether it was already loaded was not correct. There is a second check to make sure loading is also disabled. If the setting for loading is to not allow it, but the module is already laoded, the check does not return the expected output. So it would stillr eport failure, but it is less than ideal for reporting the actual issue. This changes the check for whether the module is loaded to correctly identify if the module is loaded or not before checking whether the ability has been disabled. Signed-off-by: Sean McGinnis <stmcg@amazon.com>
yeazelm
approved these changes
Nov 3, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue number:
N/A
Description of changes:
The level 2 check 3.3.1 verifies the sctp kernel module is disabled. The current check for whether it was already loaded was not correct. There is a second check to make sure loading is also disabled. If the setting for loading is to not allow it, but the module is already laoded, the check does not return the expected output. So it would stillr eport failure, but it is less than ideal for reporting the actual issue.
This changes the check for whether the module is loaded to correctly identify if the module is loaded or not before checking whether the ability has been disabled.
Testing done:
With default settings:
bash-5.1# lsmod | grep sctp bash-5.1# modprobe -n -v sctp insmod /lib/modules/5.15.134/kernel/net/ipv4/udp_tunnel.ko.xz insmod /lib/modules/5.15.134/kernel/net/ipv6/ip6_udp_tunnel.ko.xz bash-5.1# apiclient report cis -l 2 ... [FAIL] 3.3.1 Ensure SCTP is disabled (Automatic) ...With driver loaded:
bash-5.1# insmod /lib/modules/5.15.134/kernel/net/ipv4/udp_tunnel.ko.xz bash-5.1# insmod /lib/modules/5.15.134/kernel/net/ipv6/ip6_udp_tunnel.ko.xz bash-5.1# insmod /lib/modules/5.15.134/kernel/net/sctp/sctp.ko.xz bash-5.1# lsmod | grep sctp sctp 454656 6 ip6_udp_tunnel 16384 1 sctp udp_tunnel 24576 1 sctp bash-5.1# apiclient report cis -l 2 ... [FAIL] 3.3.1 Ensure SCTP is disabled (Automatic) ...With driver loading disabled and after reboot so module could be unloaded:
bash-5.1# apiclient set kernel.modules.sctp.allowed=false bash-5.1# reboot bash-5.1# apiclient report cis -l 2 ... [PASS] 3.3.1 Ensure SCTP is disabled (Automatic) ...Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.