Disable CAN Support

An XCCDF Rule

Description

The Controller Area Network (CAN) is a serial communications protocol which was initially developed for automotive and is now also used in marine, industrial, and medical applications. To configure the system to prevent the can kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf:

install can /bin/false

Rationale

Disabling CAN protects the system against exploitation of any flaws in its implementation.

ID: xccdf_org.ssgproject.content_rule_kernel_module_can_disabled
Severity: Medium
References: CCI-000381

AC-18

FMT_SMF_EXT.1

SRG-OS-000095-GPOS-00049 SRG-OS-000480-GPOS-00227

CCE-82519-0
Updated: about 1 month ago

Remediation Templates

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    storage:
      files:
      - contents:
          source: data:,install%20can%20/bin/false%0Ablacklist%20can%0A
        mode: 0644
        path: /etc/modprobe.d/can.conf
        overwrite: true

Disable CAN Support

Description

Rationale

Remediation Templates

A Kubernetes Patch