Check: OL6-00-000315
Oracle Linux 6 STIG:
OL6-00-000315
(in versions v2 r7 through v1 r10)
Title
The Bluetooth kernel module must be disabled. (Cat II impact)
Discussion
If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.
Check Content
If the system is configured to prevent the loading of the "bluetooth" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true” If no line is returned, this is a finding. If the system is configured to prevent the loading of the "net-pf-31" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf": $ grep -r net-pf-31 /etc/modprobe.conf /etc/modprobe.d | grep -i “/bin/true” If no line is returned, this is a finding.
Fix Text
The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate "/etc/modprobe.d" configuration file to prevent the loading of the Bluetooth module: install net-pf-31 /bin/true install bluetooth /bin/true
Additional Identifiers
Rule ID: SV-219578r793835_rule
Vulnerability ID: V-219578
Group Title: SRG-OS-000095
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000085 |
The organization monitors for unauthorized connections of mobile devices to organizational information systems. |
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |