The Photon operating system must disable the loading of unnecessary kernel modules.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239105	PHTN-67-000033	SV-239105r816619_rule		Medium

Description
To support the requirements and principles of least functionality, the operating system must provide only essential capabilities and limit the use of modules, protocols, and/or services to only those required for the proper functioning of the product. Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000114-GPOS-00059

STIG	Date
VMware vSphere 6.7 Photon OS Security Technical Implementation Guide	2022-01-03

Details

Check Text ( C-42316r816618_chk )
At the command line, execute the following command: # modprobe --showconfig \| grep "^install" \| grep "/bin" Expected result: install sctp /bin/false install dccp /bin/false install dccp_ipv4 /bin/false install dccp_ipv6 /bin/false install ipx /bin/false install appletalk /bin/false install decnet /bin/false install rds /bin/false install tipc /bin/false install bluetooth /bin/false install usb-storage /bin/false install ieee1394 /bin/false install cramfs /bin/false install freevxfs /bin/false install jffs2 /bin/false install hfs /bin/false install hfsplus /bin/false install squashfs /bin/false install udf /bin/false The output may include other statements outside of the expected result. This is acceptable. If the output does not include at least every statement in the expected result, this is a finding.

Check Text ( C-42316r816618_chk )

At the command line, execute the following command:

# modprobe --showconfig | grep "^install" | grep "/bin"

Expected result:

install sctp /bin/false
install dccp /bin/false
install dccp_ipv4 /bin/false
install dccp_ipv6 /bin/false
install ipx /bin/false
install appletalk /bin/false
install decnet /bin/false
install rds /bin/false
install tipc /bin/false
install bluetooth /bin/false
install usb-storage /bin/false
install ieee1394 /bin/false
install cramfs /bin/false
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install squashfs /bin/false
install udf /bin/false

The output may include other statements outside of the expected result. This is acceptable. If the output does not include at least every statement in the expected result, this is a finding.

Fix Text (F-42275r675122_fix)
Open /etc/modprobe.d/modprobe.conf with a text editor and set the contents as follows: install sctp /bin/false install dccp /bin/false install dccp_ipv4 /bin/false install dccp_ipv6 /bin/false install ipx /bin/false install appletalk /bin/false install decnet /bin/false install rds /bin/false install tipc /bin/false install bluetooth /bin/false install usb-storage /bin/false install ieee1394 /bin/false install cramfs /bin/false install freevxfs /bin/false install jffs2 /bin/false install hfs /bin/false install hfsplus /bin/false install squashfs /bin/false install udf /bin/false

Fix Text (F-42275r675122_fix)

Open /etc/modprobe.d/modprobe.conf with a text editor and set the contents as follows:

install sctp /bin/false
install dccp /bin/false
install dccp_ipv4 /bin/false
install dccp_ipv6 /bin/false
install ipx /bin/false
install appletalk /bin/false
install decnet /bin/false
install rds /bin/false
install tipc /bin/false
install bluetooth /bin/false
install usb-storage /bin/false
install ieee1394 /bin/false
install cramfs /bin/false
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install squashfs /bin/false
install udf /bin/false