{"description": "The Controller Area Network (CAN) is a serial communications\nprotocol which was initially developed for automotive and\nis now also used in marine, industrial, and medical applications.\n\nTo configure the system to prevent the <code>can</code>\nkernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/can.conf</code>:\n<pre>install can /bin/false</pre>\nThis entry will cause a non-zero return value during a <code>can</code> module installation\nand additionally convey the meaning of the entry to the user in form of an error message.\nIf you would like to omit a non-zero return value and an error message, you may want to add a different line instead\n(both <code>/bin/true</code> and <code>/bin/false</code> are allowed by OVAL and will be accepted by the scan):\n<pre>install can /bin/true</pre>", "rationale": "Disabling CAN protects the system against exploitation of any\nflaws in its implementation.", "severity": "medium", "references": {"nist": ["AC-18"], "ospp": ["FMT_SMF_EXT.1"], "srg": ["SRG-OS-000095-GPOS-00049", "SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "\nIf the system is configured to prevent the loading of the <code>can</code> kernel module,\nit will contain lines inside any file in <code>/etc/modprobe.d</code> or the deprecated<code> /etc/modprobe.conf</code>.\nThese lines instruct the module loading system to run another program (such as <code>/bin/false</code>) upon a module <code>install</code> event.\n\nRun the following command to search for such lines in all files in <code>/etc/modprobe.d</code> and the deprecated <code>/etc/modprobe.conf</code>:\n<pre>$ grep -r can /etc/modprobe.conf /etc/modprobe.d</pre>", "oval_external_content": null, "fixtext": " Configure Ubuntu 22.04 to disable the ability to use the can kernel module.\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\ninstall can /bin/true blacklist can\nReboot the system for the settings to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": " The kernel module can must be disabled in Ubuntu 22.04.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must be configured to disable the Controller Area Network kernel module.", "vuldiscussion": "Disabling Controller Area Network (CAN) protects the system against exploitation of any flaws in its implementation.", "checktext": "Verify that Ubuntu 22.04 disables the ability to load the CAN kernel module with the following command:\n\n$ grep -r can /etc/modprobe.conf /etc/modprobe.d/*\n\ninstall can /bin/false\nblacklist can\n\nIf the command does not return any output, or the lines are commented out, and use of CAN is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.", "fixtext": "To configure the system to prevent the can kernel module from being loaded, add the following lines to the file  /etc/modprobe.d/can.conf (or create can.conf if it does not exist):\n\ninstall can /bin/false\nblacklist can"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable CAN Support", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml", "template": {"name": "kernel_module_disabled", "vars": {"kernmodule": "can"}, "backends": {}}}