Disable ATM Support

An XCCDF Rule

Description

The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. To configure the system to prevent the atm kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf:

install atm /bin/false

To configure the system to prevent the atm from being used, add the following line to file /etc/modprobe.d/atm.conf:

blacklist atm

Rationale

Disabling ATM protects the system against exploitation of any flaws in its implementation.

ID: xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled
Severity: Medium
References: CCI-000381

AC-18

SRG-OS-000095-GPOS-00049 SRG-OS-000480-GPOS-00227

RHEL-08-040021

CCE-82028-2

SV-230494r1017277_rule
Updated: 5 days ago

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20atm%20/bin/false%0Ablacklist%20atm%0A
        mode: 0644
        path: /etc/modprobe.d/atm.conf
        overwrite: true

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-82028-2
  - DISA-STIG-RHEL-08-040021  - NIST-800-53-AC-18
  - disable_strategy
  - kernel_module_atm_disabled
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required

- name: Ensure kernel module 'atm' is disabled
  lineinfile:
    create: true
    dest: /etc/modprobe.d/atm.conf
    regexp: install\s+atm
    line: install atm /bin/false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-82028-2
  - DISA-STIG-RHEL-08-040021
  - NIST-800-53-AC-18
  - disable_strategy
  - kernel_module_atm_disabled
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required

- name: Ensure kernel module 'atm' is blacklisted
  lineinfile:
    create: true
    dest: /etc/modprobe.d/atm.conf
    regexp: ^blacklist atm$
    line: blacklist atm
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-82028-2
  - DISA-STIG-RHEL-08-040021
  - NIST-800-53-AC-18
  - disable_strategy
  - kernel_module_atm_disabled
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

if LC_ALL=C grep -q -m 1 "^install atm" /etc/modprobe.d/atm.conf ; then
	
	sed -i 's#^install atm.*#install atm /bin/false#g' /etc/modprobe.d/atm.confelse
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/atm.conf
	echo "install atm /bin/false" >> /etc/modprobe.d/atm.conf
fi

if ! LC_ALL=C grep -q -m 1 "^blacklist atm$" /etc/modprobe.d/atm.conf ; then
	echo "blacklist atm" >> /etc/modprobe.d/atm.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable ATM Support

Description

Rationale

Remediation - Kubernetes Patch

Remediation - Ansible

Remediation - Shell Script