Require modules to be validly signed

An XCCDF Rule

Details
Profiles
Prose

Description

Reject unsigned modules or signed modules with an unknown key. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_MODULE_SIG_FORCE, run the following command: grep CONFIG_MODULE_SIG_FORCE /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

Prevent loading modules that are unsigned or signed with an unknown key.

ID: xccdf_org.ssgproject.content_rule_kernel_config_module_sig_force
Severity: Medium
References: BP28(R18)
Updated: about 1 year ago