{"description": "The Stream Control Transmission Protocol (SCTP) is a\ntransport layer protocol, designed to support the idea of\nmessage-oriented communication, with several streams of messages\nwithin one connection.\n\nTo configure the system to prevent the <code>sctp</code>\nkernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/sctp.conf</code>:\n<pre>install sctp /bin/false</pre>\nThis entry will cause a non-zero return value during a <code>sctp</code> module installation\nand additionally convey the meaning of the entry to the user in form of an error message.\nIf you would like to omit a non-zero return value and an error message, you may want to add a different line instead\n(both <code>/bin/true</code> and <code>/bin/false</code> are allowed by OVAL and will be accepted by the scan):\n<pre>install sctp /bin/true</pre>", "rationale": "Disabling SCTP protects\nthe system against exploitation of any flaws in its implementation.", "severity": "medium", "references": {"cis-csc": ["11", "14", "3", "9"], "cjis": ["5.10.1"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS05.02", "DSS05.05", "DSS06.06"], "cui": ["3.4.6"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.9.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.IP-1", "PR.PT-3"], "ospp": ["FMT_SMF_EXT.1"], "pcidss": ["Req-1.4.2"], "srg": ["SRG-OS-000095-GPOS-00049", "SRG-OS-000480-GPOS-00227"], "cis": ["3.2.4"], "pcidss4": ["1.4.2", "1.4"]}, "control_references": {"cis": ["3.2.4"], "pcidss4": ["1.4.2", "1.4"]}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "\nIf the system is configured to prevent the loading of the <code>sctp</code> kernel module,\nit will contain lines inside any file in <code>/etc/modprobe.d</code> or the deprecated<code> /etc/modprobe.conf</code>.\nThese lines instruct the module loading system to run another program (such as <code>/bin/false</code>) upon a module <code>install</code> event.\n\nRun the following command to search for such lines in all files in <code>/etc/modprobe.d</code> and the deprecated <code>/etc/modprobe.conf</code>:\n<pre>$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": " The kernel module sctp must be disabled in Ubuntu 22.04.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must disable the Stream Control Transmission Protocol (SCTP) kernel module.", "vuldiscussion": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nFailing to disconnect unused protocols can result in a system compromise.\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation.", "fixtext": "To configure the system to prevent the sctp kernel module from being loaded, add the following lines to the file  /etc/modprobe.d/sctp.conf (or create sctp.conf if it does not exist):\n\ninstall sctp /bin/false\nblacklist sctp", "checktext": "Verify that Ubuntu 22.04 disables the ability to load the sctp kernel module with the following command:\n\n$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d/*\n\ninstall sctp /bin/false\nblacklist sctp\n\nIf the command does not return any output, or the lines are commented out, and use of sctp is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable SCTP Support", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml", "template": {"name": "kernel_module_disabled", "vars": {"kernmodule": "sctp"}, "backends": {}}}