MEDIUM RHCOS (Node) M21: Kernel Module Blacklist P3
Remediation required. This group (18 checks) fails on vanilla RHCOS 9.8 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 4.22, RHCOS 9.8) with compliance-operator v1.8.2.
Overview
Disables unnecessary kernel modules to reduce the attack surface. Blacklists network protocols (SCTP, TIPC, ATM, CAN), wireless drivers (bluetooth, WiFi), obsolete filesystems (cramfs, hfs, jffs2), and removable storage (USB, FireWire).
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
atm-disabled |
Disable ATM network protocol |
bluetooth-disabled |
Disable Bluetooth |
can-disabled |
Disable CAN bus protocol |
cfg80211-disabled |
Disable wireless configuration |
cramfs-disabled |
Disable cramfs filesystem |
firewire-core-disabled |
Disable FireWire |
freevxfs-disabled |
Disable FreeVxFS filesystem |
hfs-disabled |
Disable HFS filesystem |
hfsplus-disabled |
Disable HFS+ filesystem |
iwlmvm-disabled |
Disable Intel WiFi MVM driver |
iwlwifi-disabled |
Disable Intel WiFi driver |
jffs2-disabled |
Disable JFFS2 filesystem |
mac80211-disabled |
Disable wireless MAC layer |
sctp-disabled |
Disable SCTP protocol |
squashfs-disabled |
Disable SquashFS filesystem |
tipc-disabled |
Disable TIPC protocol |
udf-disabled |
Disable UDF filesystem |
usb-storage-disabled |
Disable USB mass storage |
Verification
oc debug node/<node> -- chroot /host lsmod | grep -E 'bluetooth|usb.storage|sctp'
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
| Setting | Scope | Target Repo | Target File | Rationale | Risk |
|---|---|---|---|---|---|
18 kernel module blacklist entries |
RAN | openshift/os | /usr/lib/modprobe.d/50-security-blacklist.conf |
Disables unnecessary kernel modules (Bluetooth, WiFi, exotic filesystems, ATM, TIPC). Reduces attack surface on container hosts.
Scope: Some modules (SCTP) are used by telco workloads. Bluetooth/WiFi blacklist is safe but module selection is deployment-specific. |
Med |