{"description": "To set the runtime status of the <code>kernel.modules_disabled</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.modules_disabled=1</pre>\nTo make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>kernel.modules_disabled = 1</pre>", "rationale": "Malicious kernel modules can have a significant impact on system security and\navailability. Disabling loading of kernel modules prevents this threat. Note\nthat once this option has been set, it cannot be reverted without doing a\nsystem reboot. Make sure that all needed kernel modules are loaded before\nsetting this option.", "severity": "medium", "references": {"anssi": ["R10"]}, "control_references": {"anssi": ["R10"]}, "components": [], "identifiers": {}, "ocil_clause": "the correct value is not returned", "ocil": "The runtime status of the <code>kernel.modules_disabled</code> kernel parameter can be queried\nby running the following command:\n<pre>$ sysctl kernel.modules_disabled</pre>\n<code>1</code>.\n", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule doesn't come with remediation. Remediating this rule during the installation process disrupts the install and boot process."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_kernel_modules_disabled.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_kernel_modules_disabled.sh"}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable loading and unloading of kernel modules", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "kernel.modules_disabled", "sysctlval": "1", "datatype": "int", "no_remediation": "true"}, "backends": {"bash": "off", "ansible": "off"}}}