{"description": "The kernel's module loading system can be configured to prevent\nloading of the Bluetooth module. Add the following to\nthe appropriate <tt>/etc/modprobe.d</tt> configuration file\nto prevent the loading of the Bluetooth module:\n<pre>install bluetooth /bin/true</pre>", "rationale": "If Bluetooth functionality must be disabled, preventing the kernel\nfrom loading the kernel module provides an additional safeguard against its\nactivation.", "severity": "medium", "references": {"cis-csc": ["11", "12", "14", "15", "3", "8", "9"], "cjis": ["5.13.1.3"], "cobit5": ["APO13.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS01.04", "DSS05.02", "DSS05.03", "DSS05.05", "DSS06.06"], "cui": ["3.1.16"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.1.2", "A.12.5.1", "A.12.6.2", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.6.2.1", "A.6.2.2", "A.9.1.2"], "nist": ["AC-18(a)", "AC-18(3)", "CM-7(a)", "CM-7(b)", "CM-6(a)", "MP-7"], "nist-csf": ["PR.AC-3", "PR.IP-1", "PR.PT-3", "PR.PT-4"], "ospp": ["FMT_SMF_EXT.1"], "srg": ["SRG-OS-000095-GPOS-00049", "SRG-OS-000300-GPOS-00118"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "\nIf the system is configured to prevent the loading of the <code>bluetooth</code> kernel module,\nit will contain lines inside any file in <code>/etc/modprobe.d</code> or the deprecated<code> /etc/modprobe.conf</code>.\nThese lines instruct the module loading system to run another program (such as <code>/bin/false</code>) upon a module <code>install</code> event.\n\nRun the following command to search for such lines in all files in <code>/etc/modprobe.d</code> and the deprecated <code>/etc/modprobe.conf</code>:\n<pre>$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d</pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to disable the Bluetooth adapter when not in use.\n\nCreate or modify the \"/etc/modprobe.d/bluetooth.conf\" file with the following line:\n\ninstall bluetooth /bin/true\n\nReboot the system for the settings to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": " The kernel module bluetooth must be disabled in Ubuntu 22.04.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 Bluetooth must be disabled.", "vuldiscussion": "This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with Ubuntu 22.04 systems. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR keyboards, mice and pointing devices, and near field communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DOD requirements for wireless data transmission and be approved for use by the Authorizing Official (AO). Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the Ubuntu 22.04 operating system.", "checktext": "Verify that Ubuntu 22.04 disables the ability to load the Bluetooth kernel module with the following command:\n\n$ sudo grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d/*\n\ninstall bluetooth /bin/false\nblacklist bluetooth\n\nIf the command does not return any output, or the lines are commented out, and use of Bluetooth is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to disable the Bluetooth adapter when not in use.\n\nCreate or modify the \"/etc/modprobe.d/bluetooth.conf\" file with the following lines:\n\ninstall bluetooth /bin/false\nblacklist bluetooth\n\nReboot the system for the settings to take effect."}}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable Bluetooth Kernel Module", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml", "template": {"name": "kernel_module_disabled", "vars": {"kernmodule": "bluetooth"}, "backends": {}}}