Disable the uvcvideo module

An XCCDF Rule

Description

If the device contains a camera it should be covered or disabled when not in use.

Rationale

Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures.

ID: xccdf_org.ssgproject.content_rule_kernel_module_uvcvideo_disabled
Severity: Medium
References: CCI-000381

CM-7 (5) (b) CM-7 (a)

SRG-OS-000095-GPOS-00049 SRG-OS-000370-GPOS-00155
Updated: over 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-7 (5) (b)
  - NIST-800-53-CM-7 (a)  - disable_strategy
  - kernel_module_uvcvideo_disabled
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required

- name: Ensure kernel module 'uvcvideo' is disabled
  lineinfile:
    create: true
    dest: /etc/modprobe.d/uvcvideo.conf
    regexp: install\s+uvcvideo
    line: install uvcvideo /bin/false
  when: '"kernel-default" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-7 (5) (b)
  - NIST-800-53-CM-7 (a)
  - disable_strategy
  - kernel_module_uvcvideo_disabled
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required

- name: Ensure kernel module 'uvcvideo' is blacklisted
  lineinfile:
    create: true
    dest: /etc/modprobe.d/uvcvideo.conf
    regexp: ^blacklist uvcvideo$
    line: blacklist uvcvideo
  when: '"kernel-default" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-7 (5) (b)
  - NIST-800-53-CM-7 (a)
  - disable_strategy
  - kernel_module_uvcvideo_disabled
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default; then

if LC_ALL=C grep -q -m 1 "^install uvcvideo" /etc/modprobe.d/uvcvideo.conf ; then
	
	sed -i 's#^install uvcvideo.*#install uvcvideo /bin/false#g' /etc/modprobe.d/uvcvideo.confelse
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/uvcvideo.conf
	echo "install uvcvideo /bin/false" >> /etc/modprobe.d/uvcvideo.conf
fi

if ! LC_ALL=C grep -q -m 1 "^blacklist uvcvideo$" /etc/modprobe.d/uvcvideo.conf ; then
	echo "blacklist uvcvideo" >> /etc/modprobe.d/uvcvideo.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable the uvcvideo module

Description

Rationale

Remediation - Ansible

Remediation - Shell Script