The Photon operating system must disable the loading of unnecessary kernel modules.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256509 | PHTN-30-000032 | SV-256509r958480_rule | CCI-000382 | medium |
| Description | ||||
| To support the requirements and principles of least functionality, the operating system must provide only essential capabilities and limit the use of modules, protocols, and/or services to only those required for the proper functioning of the product. Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000114-GPOS-00059 | ||||
| STIG | Date | |||
| VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide | 2024-12-16 | |||
Details
Check Text (C-256509r958480_chk)
At the command line, run the following command:
# modprobe --showconfig | grep "^install" | grep "/bin"
Expected result:
install sctp /bin/false
install dccp /bin/false
install dccp_ipv4 /bin/false
install dccp_ipv6 /bin/false
install ipx /bin/false
install appletalk /bin/false
install decnet /bin/false
install rds /bin/false
install tipc /bin/false
install bluetooth /bin/false
install usb_storage /bin/false
install ieee1394 /bin/false
install cramfs /bin/false
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install squashfs /bin/false
install udf /bin/false
The output may include other statements outside of the expected result.
If the output does not include at least every statement in the expected result, this is a finding.
Fix Text (F-60127r887200_fix)
Navigate to and open:
/etc/modprobe.d/modprobe.conf
Set the contents as follows:
install sctp /bin/false
install dccp /bin/false
install dccp_ipv4 /bin/false
install dccp_ipv6 /bin/false
install ipx /bin/false
install appletalk /bin/false
install decnet /bin/false
install rds /bin/false
install tipc /bin/false
install bluetooth /bin/false
install usb_storage /bin/false
install ieee1394 /bin/false
install cramfs /bin/false
install freevxfs /bin/false
install jffs2 /bin/false
install hfs /bin/false
install hfsplus /bin/false
install squashfs /bin/false
install udf /bin/false