Disable CAN Support
An XCCDF Rule
Description
The Controller Area Network (CAN) is a serial communications
protocol which was initially developed for automotive and
is now also used in marine, industrial, and medical applications.
To configure the system to prevent the can
kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf
:
install can /bin/true
Rationale
Disabling CAN protects the system against exploitation of any flaws in its implementation.
- ID
- xccdf_org.ssgproject.content_rule_kernel_module_can_disabled
- Severity
- Medium
- References
- Updated
Remediation - Kubernetes Patch
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if LC_ALL=C grep -q -m 1 "^install can" /etc/modprobe.d/can.conf ; then
sed -i 's#^install can.*#install can /bin/true#g' /etc/modprobe.d/can.conf
Remediation - Ansible
- name: Ensure kernel module 'can' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/can.conf
regexp: install\s+can
line: install can /bin/false