New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Q] Reason for disabling dccp sctp rds tipc kernel modules? #27
Comments
Hi @nodiscc, those are disabled since you should "disable what you don't need" as you put it. CIS Ubuntu 20.04 Benchmark:
Red Hat Enterprise Linux 7 Security Technical Implementation Guide:
|
I found the same reference in CIS_Debian_Linux_10_Benchmark_v1.0.0.pdf: So it is indeed a generic "reduce attack surface" measure, and also required for CIS benchmark compliance - not about a specific problem in these modules/protocols. I assume it is safe enough to disable them by default as they are rarely used. It might be good to add some inline comments to the default modules blacklist (eg. thanks for your quick reply! |
Interesting timing for this advisory :) 👍 I read a bit about SCTP and the Linux implementation, having a default DENY firewall policy will also stop SCTP traffic from going in or out the machine - unless you explicitely add
There are other protocols in iptables extensions. Disabling the modules in addition doesn't hurt, so I came to the conclusion that you can safely disable all protocol related kernel modules for which you don't have an iptables rule: $ find /lib/modules/5.9.0-0.bpo.2-amd64/kernel/* -type f|grep net|grep -E "udplite|icmp|esp|ah|sctp|mh|dccp"
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/sctp/sctp_diag.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/sctp/sctp.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv4/ah4.ko
...
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv4/esp4.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv4/netfilter/ipt_ah.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv4/esp4_offload.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/6lowpan/nhc_ghc_icmpv6.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/netfilter/ipvs/ip_vs_mh.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/netfilter/xt_esp.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/netfilter/xt_dccp.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/netfilter/xt_sctp.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv6/esp6.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv6/ah6.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv6/esp6_offload.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv6/netfilter/ip6t_mh.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/ipv6/netfilter/ip6t_ah.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/dccp/dccp.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/dccp/dccp_ipv4.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/dccp/dccp_ipv6.ko
/lib/modules/5.9.0-0.bpo.2-amd64/kernel/net/dccp/dccp_diag.ko None of these are currently enabled on my machines so I will try blacklisting some. There is a vulnerability in the rds module on Linux <5.0.8 (requires an application actually using RDS to be vulnerable - but disabling the module will likely break your application). However about the firefox advisory: https://webrtcglossary.com/sctp/
The vulnerability is probably in the WebRTC implementation of SCTP, so disabling the kernel module won't help. |
Hi,
I traced back the addition of
net_modules_blocklist
to 6000ef9. From this commit I cannot tell why these particular modules (dccp, sctp, rds, tipc) were disabled.What is the reason for disabling these modules? Is it a generic "disable what you don't need" task (in which case it might be better to leave the default list empty, as the modules could be in use on some systems)? Or is there a specific problem/security risk related to dccp/sctp/rds/tipc modules?
Thanks for this interesting role, I am learning from it and mixing it with https://github.com/dev-sec/ansible-collection-hardening/ and https://github.com/nodiscc/xsrv/tree/master/roles/common
The text was updated successfully, but these errors were encountered: