Skip to content

Disable the uvcvideo module

An XCCDF Rule

Description

If the device contains a camera it should be covered or disabled when not in use.

Rationale

Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures.

ID
xccdf_org.ssgproject.content_rule_kernel_module_uvcvideo_disabled
Severity
Medium
References
Updated



Remediation - Kubernetes Patch

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if LC_ALL=C grep -q -m 1 "^install uvcvideo" /etc/modprobe.d/uvcvideo.conf ; then
	
	sed -i 's#^install uvcvideo.*#install uvcvideo /bin/true#g' /etc/modprobe.d/uvcvideo.conf

Remediation - Ansible

- name: Ensure kernel module 'uvcvideo' is disabled
  lineinfile:
    create: true
    dest: /etc/modprobe.d/uvcvideo.conf
    regexp: install\s+uvcvideo
    line: install uvcvideo /bin/false