MEDIUM RHCOS (Node) M21: Kernel Module Blacklist P3
Remediation required. This group (18 checks) fails on vanilla RHCOS 10.2 and requires MachineConfig remediation. Verified on cnfdt16 (OCP 5.0, RHCOS 10.2) with compliance-operator v1.8.2.
Overview
Disables unnecessary kernel modules to reduce the attack surface. Blacklists network protocols (SCTP, TIPC, ATM, CAN), wireless drivers (bluetooth, WiFi), obsolete filesystems (cramfs, hfs, jffs2), and removable storage (USB, FireWire).
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
atm-disabled |
Disable ATM network protocol |
bluetooth-disabled |
Disable Bluetooth |
can-disabled |
Disable CAN bus protocol |
cfg80211-disabled |
Disable wireless configuration |
cramfs-disabled |
Disable cramfs filesystem |
firewire-core-disabled |
Disable FireWire |
freevxfs-disabled |
Disable FreeVxFS filesystem |
hfs-disabled |
Disable HFS filesystem |
hfsplus-disabled |
Disable HFS+ filesystem |
iwlmvm-disabled |
Disable Intel WiFi MVM driver |
iwlwifi-disabled |
Disable Intel WiFi driver |
jffs2-disabled |
Disable JFFS2 filesystem |
mac80211-disabled |
Disable wireless MAC layer |
sctp-disabled |
Disable SCTP protocol |
squashfs-disabled |
Disable SquashFS filesystem |
tipc-disabled |
Disable TIPC protocol |
udf-disabled |
Disable UDF filesystem |
usb-storage-disabled |
Disable USB mass storage |
Verification
oc debug node/<node> -- chroot /host lsmod | grep -E 'bluetooth|usb.storage|sctp'
Upstream Proposal
The following changes could eliminate the need for MachineConfig remediation. Items are categorized by recommended scope:
18 kernel module blacklist entries
RAN
Med
openshift/os
/usr/lib/modprobe.d/50-security-blacklist.conf
Disables unnecessary kernel modules (Bluetooth, WiFi, exotic filesystems, ATM, TIPC). Reduces attack surface on container hosts.
Scope: Some modules (SCTP) are used by telco workloads. Bluetooth/WiFi blacklist is safe but module selection is deployment-specific.
Scope: Some modules (SCTP) are used by telco workloads. Bluetooth/WiFi blacklist is safe but module selection is deployment-specific.
PR History
18 kernel module blacklist entries
18 modules is too broad for a base image blacklist. The only existing CoreOS module blacklist is nouveau (1 module, with specific bugzilla). Several modules have legitimate uses: SCTP for telco signaling (4G/5G), usb-storage for BMC KVM and provisioning, squashfs for snap/container runtimes, Bluetooth/WiFi for sensor nodes. Each module would need individual upstream justification. CoreOS tracker #249 discusses module management but not default blacklists.