Disable CAN Support

An XCCDF Rule

Description

The Controller Area Network (CAN) is a serial communications protocol which was initially developed for automotive and is now also used in marine, industrial, and medical applications. To configure the system to prevent the can kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf:

install can /bin/false

To configure the system to prevent the can from being used, add the following line to file /etc/modprobe.d/can.conf:

blacklist can

Rationale

Disabling CAN protects the system against exploitation of any flaws in its implementation.

ID: xccdf_org.ssgproject.content_rule_kernel_module_can_disabled
Severity: Medium
References: CCI-000381

AC-18

FMT_SMF_EXT.1

SRG-OS-000095-GPOS-00049 SRG-OS-000480-GPOS-00227

RHEL-08-040022

CCE-82059-7

SV-230495r1017278_rule
Updated: 5 days ago

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

if LC_ALL=C grep -q -m 1 "^install can" /etc/modprobe.d/can.conf ; then
	
	sed -i 's#^install can.*#install can /bin/false#g' /etc/modprobe.d/can.confelse
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/can.conf
	echo "install can /bin/false" >> /etc/modprobe.d/can.conf
fi

if ! LC_ALL=C grep -q -m 1 "^blacklist can$" /etc/modprobe.d/can.conf ; then
	echo "blacklist can" >> /etc/modprobe.d/can.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,install%20can%20/bin/false%0Ablacklist%20can%0A
        mode: 0644
        path: /etc/modprobe.d/can.conf
        overwrite: true

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-82059-7
  - DISA-STIG-RHEL-08-040022  - NIST-800-53-AC-18
  - disable_strategy
  - kernel_module_can_disabled
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required

- name: Ensure kernel module 'can' is disabled
  lineinfile:
    create: true
    dest: /etc/modprobe.d/can.conf
    regexp: install\s+can
    line: install can /bin/false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-82059-7
  - DISA-STIG-RHEL-08-040022
  - NIST-800-53-AC-18
  - disable_strategy
  - kernel_module_can_disabled
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required

- name: Ensure kernel module 'can' is blacklisted
  lineinfile:
    create: true
    dest: /etc/modprobe.d/can.conf
    regexp: ^blacklist can$
    line: blacklist can
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-82059-7
  - DISA-STIG-RHEL-08-040022
  - NIST-800-53-AC-18
  - disable_strategy
  - kernel_module_can_disabled
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required

Disable CAN Support

Description

Rationale

Remediation - Shell Script

Remediation - Kubernetes Patch

Remediation - Ansible