Disable ATM Support

Documentos > Datadog Security > OOTB Rules > Disable ATM Support

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Description

The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. To configure the system to prevent the atm kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf:

install atm /bin/false

This entry will cause a non-zero return value during a atm module installation and additionally convey the meaning of the entry to the user in form of an error message. If you would like to omit a non-zero return value and an error message, you may want to add a different line instead (both /bin/true and /bin/false are allowed by OVAL and will be accepted by the scan):

install atm /bin/true

Rationale

Disabling ATM protects the system against exploitation of any flaws in its implementation.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core; then

if LC_ALL=C grep -q -m 1 "^install atm" /etc/modprobe.d/atm.conf ; then
	
	sed -i 's#^install atm.*#install atm /bin/false#g' /etc/modprobe.d/atm.conf
else
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/atm.conf
	echo "install atm /bin/false" >> /etc/modprobe.d/atm.conf
fi

if ! LC_ALL=C grep -q -m 1 "^blacklist atm$" /etc/modprobe.d/atm.conf ; then
	echo "blacklist atm" >> /etc/modprobe.d/atm.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-89906-2
  - NIST-800-53-AC-18
  - disable_strategy
  - kernel_module_atm_disabled
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required

- name: Ensure kernel module 'atm' is disabled
  ansible.builtin.lineinfile:
    create: true
    dest: /etc/modprobe.d/atm.conf
    regexp: install\s+atm
    line: install atm /bin/false
  when: '"kernel-core" in ansible_facts.packages'
  tags:
  - CCE-89906-2
  - NIST-800-53-AC-18
  - disable_strategy
  - kernel_module_atm_disabled
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required

- name: Ensure kernel module 'atm' is blacklisted
  ansible.builtin.lineinfile:
    create: true
    dest: /etc/modprobe.d/atm.conf
    regexp: ^blacklist atm$
    line: blacklist atm
  when: '"kernel-core" in ansible_facts.packages'
  tags:
  - CCE-89906-2
  - NIST-800-53-AC-18
  - disable_strategy
  - kernel_module_atm_disabled
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required