Disable the uvcvideo module
An XCCDF Rule
Description
If the device contains a camera it should be covered or disabled when not in use.
Rationale
Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures.
- ID
- xccdf_org.ssgproject.content_rule_kernel_module_uvcvideo_disabled
- Severity
- Medium
- Updated
Remediation - Kubernetes Patch
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if LC_ALL=C grep -q -m 1 "^install uvcvideo" /etc/modprobe.d/uvcvideo.conf ; then
sed -i 's#^install uvcvideo.*#install uvcvideo /bin/true#g' /etc/modprobe.d/uvcvideo.conf
Remediation - Ansible
- name: Ensure kernel module 'uvcvideo' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/uvcvideo.conf
regexp: install\s+uvcvideo
line: install uvcvideo /bin/false