The Photon operating system must disable the loading of unnecessary kernel modules.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256509	PHTN-30-000032	SV-256509r887201_rule		Medium

Description
To support the requirements and principles of least functionality, the operating system must provide only essential capabilities and limit the use of modules, protocols, and/or services to only those required for the proper functioning of the product. Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000114-GPOS-00059

STIG	Date
VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide	2023-12-01

Details

Check Text ( C-60184r887199_chk )
At the command line, run the following command: # modprobe --showconfig \| grep "^install" \| grep "/bin" Expected result: install sctp /bin/false install dccp /bin/false install dccp_ipv4 /bin/false install dccp_ipv6 /bin/false install ipx /bin/false install appletalk /bin/false install decnet /bin/false install rds /bin/false install tipc /bin/false install bluetooth /bin/false install usb_storage /bin/false install ieee1394 /bin/false install cramfs /bin/false install freevxfs /bin/false install jffs2 /bin/false install hfs /bin/false install hfsplus /bin/false install squashfs /bin/false install udf /bin/false The output may include other statements outside of the expected result. If the output does not include at least every statement in the expected result, this is a finding.

Check Text ( C-60184r887199_chk )

At the command line, run the following command:

# modprobe --showconfig | grep "^install" | grep "/bin"

Expected result:

install sctp /bin/false
install dccp /bin/false
install dccp_ipv4 /bin/false
install dccp_ipv6 /bin/false
install ipx /bin/false
install appletalk /bin/false
install decnet /bin/false
install rds /bin/false
install tipc /bin/false
install bluetooth /bin/false
install usb_storage /bin/false
install ieee1394 /bin/false
install cramfs /bin/false
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install squashfs /bin/false
install udf /bin/false

The output may include other statements outside of the expected result.

If the output does not include at least every statement in the expected result, this is a finding.

Fix Text (F-60127r887200_fix)
Navigate to and open: /etc/modprobe.d/modprobe.conf Set the contents as follows: install sctp /bin/false install dccp /bin/false install dccp_ipv4 /bin/false install dccp_ipv6 /bin/false install ipx /bin/false install appletalk /bin/false install decnet /bin/false install rds /bin/false install tipc /bin/false install bluetooth /bin/false install usb_storage /bin/false install ieee1394 /bin/false install cramfs /bin/false install freevxfs /bin/false install jffs2 /bin/false install hfs /bin/false install hfsplus /bin/false install squashfs /bin/false install udf /bin/false

Fix Text (F-60127r887200_fix)

Navigate to and open:

/etc/modprobe.d/modprobe.conf

Set the contents as follows:

install sctp /bin/false
install dccp /bin/false
install dccp_ipv4 /bin/false
install dccp_ipv6 /bin/false
install ipx /bin/false
install appletalk /bin/false
install decnet /bin/false
install rds /bin/false
install tipc /bin/false
install bluetooth /bin/false
install usb_storage /bin/false
install ieee1394 /bin/false
install cramfs /bin/false
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install squashfs /bin/false
install udf /bin/false