MEDIUM M21: Kernel Module Blacklist P3

Verified Compare Branch

Overview

Disables unnecessary kernel modules to reduce the attack surface. Blacklists network protocols (SCTP, TIPC, ATM, CAN), wireless drivers (bluetooth, WiFi), obsolete filesystems (cramfs, hfs, jffs2), and removable storage (USB, FireWire).

Profile: NIST 800-53 Moderate (rhcos4-moderate)

Compliance Checks

Check Description
atm-disabled Disable ATM network protocol
bluetooth-disabled Disable Bluetooth
can-disabled Disable CAN bus protocol
cfg80211-disabled Disable wireless configuration
cramfs-disabled Disable cramfs filesystem
firewire-core-disabled Disable FireWire
freevxfs-disabled Disable FreeVxFS filesystem
hfs-disabled Disable HFS filesystem
hfsplus-disabled Disable HFS+ filesystem
iwlmvm-disabled Disable Intel WiFi MVM driver
iwlwifi-disabled Disable Intel WiFi driver
jffs2-disabled Disable JFFS2 filesystem
mac80211-disabled Disable wireless MAC layer
sctp-disabled Disable SCTP protocol
squashfs-disabled Disable SquashFS filesystem
tipc-disabled Disable TIPC protocol
udf-disabled Disable UDF filesystem
usb-storage-disabled Disable USB mass storage

Verification

oc debug node/<node> -- chroot /host lsmod | grep -E 'bluetooth|usb.storage|sctp'
← M20 All Groups M22 →
Legend
Status
🔵 In Progress
🟡 Pending
⚪ On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only