New rule kernel_config_modules

Add a rule that checks if support for kernel modules is disabled. If the system can function without support for kernel modules, the support for them should be disabled. Include the rule to ANSSI R23 as a related rule.
ComplianceAsCode · Feb 8, 2024 · 1d295a4 · 1d295a4
1 parent 5f62e80
commit 1d295a4
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 3 deletions.
diff --git a/components/kernel.yml b/components/kernel.yml
@@ -61,6 +61,7 @@ rules:
 - kernel_config_module_sig_hash
 - kernel_config_module_sig_key
 - kernel_config_module_sig_sha512
+- kernel_config_modules
 - kernel_config_page_poisoning
 - kernel_config_page_poisoning_no_sanity
 - kernel_config_page_poisoning_zero

diff --git a/controls/anssi.yml b/controls/anssi.yml
@@ -579,6 +579,9 @@ controls:
     - kernel_config_hibernation
     - kernel_config_binfmt_misc
     - kernel_config_legacy_ptys
+    related_rules:
+    # This rule isn't included in any profile therefore it won't appear in the built data stream.
+    - kernel_config_modules
 
 
   - id: R24

diff --git a/linux_os/guide/system/kernel_build_config/kernel_config_modules/rule.yml b/linux_os/guide/system/kernel_build_config/kernel_config_modules/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+title: Disable Support for Kernel Modules
+
+description: |-
+    Kernel modules are small pieces of compiled code which can be inserted in the running kernel, rather than being permanently built into the kernel.
+    If module support isn't neccessary, it must be disabled.
+
+    {{{ describe_kernel_build_config("CONFIG_MODULES", "n") | indent(4) }}}
+
+rationale: |-
+    Disabling support for kernel modules will prevent loading unwanted modules.
+
+warnings:
+    {{{ warning_kernel_build_config() | indent(4) }}}
+
+severity: low
+
+identifiers:
+    cce@rhel7: CCE-86302-7
+    cce@rhel8: CCE-86303-5
+    cce@rhel9: CCE-86304-3
+
+ocil_clause: 'the kernel was not built with the required value'
+
+ocil: |-
+    {{{ ocil_kernel_build_config("CONFIG_MODULES", "n") | indent(4) }}}
+
+template:
+    name: kernel_build_config
+    vars:
+        config: CONFIG_MODULES
+        value: 'n'
+
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -88,9 +88,6 @@ CCE-86290-4
 CCE-86291-2
 CCE-86293-8
 CCE-86294-6
-CCE-86302-7
-CCE-86303-5
-CCE-86304-3
 CCE-86305-0
 CCE-86306-8
 CCE-86307-6