Enable module signature verification

An XCCDF Rule

Details
Profiles
Prose

Description

Check modules for valid signatures upon load. Note that this option adds the OpenSSL development packages as a kernel build dependency so that the signing tool can use its crypto library. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_MODULE_SIG, run the following command: grep CONFIG_MODULE_SIG /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

Loaded modules must be signed.

ID: xccdf_org.ssgproject.content_rule_kernel_config_module_sig
Severity: Medium
References: BP28(R18)
Updated: about 1 year ago