{"description": "The Transparent Inter-Process Communication (TIPC) protocol\nis designed to provide communications between nodes in a\ncluster.\n\nTo configure the system to prevent the <code>tipc</code>\nkernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/tipc.conf</code>:\n<pre>install tipc /bin/false</pre>\nThis entry will cause a non-zero return value during a <code>tipc</code> module installation\nand additionally convey the meaning of the entry to the user in form of an error message.\nIf you would like to omit a non-zero return value and an error message, you may want to add a different line instead\n(both <code>/bin/true</code> and <code>/bin/false</code> are allowed by OVAL and will be accepted by the scan):\n<pre>install tipc /bin/true</pre>", "rationale": "Disabling TIPC protects\nthe system against exploitation of any flaws in its implementation.", "severity": "low", "references": {"cis-csc": ["11", "14", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS05.02", "DSS05.05", "DSS06.06"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.9.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.IP-1", "PR.PT-3"], "ospp": ["FMT_SMF_EXT.1"], "srg": ["SRG-OS-000095-GPOS-00049"], "cis": ["3.2.2"]}, "control_references": {"cis": ["3.2.2"]}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "\nIf the system is configured to prevent the loading of the <code>tipc</code> kernel module,\nit will contain lines inside any file in <code>/etc/modprobe.d</code> or the deprecated<code> /etc/modprobe.conf</code>.\nThese lines instruct the module loading system to run another program (such as <code>/bin/false</code>) upon a module <code>install</code> event.\n\nRun the following command to search for such lines in all files in <code>/etc/modprobe.d</code> and the deprecated <code>/etc/modprobe.conf</code>:\n<pre>$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d</pre>", "oval_external_content": null, "fixtext": " Configure Ubuntu 22.04 to disable the ability to use the tipc kernel module.\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\ninstall tipc /bin/true blacklist tipc\nReboot the system for the settings to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": " The kernel module tipc must be disabled in Ubuntu 22.04.", "warnings": [{"general": "This configuration baseline was created to deploy the base operating system for general purpose\nworkloads. When the operating system is configured for certain purposes, such as\na node in High Performance Computing cluster, it is expected that\nthe <tt>tipc</tt> kernel module will be loaded."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must disable the Transparent Inter Process Communication (TIPC) kernel module.", "vuldiscussion": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nFailing to disconnect unused protocols can result in a system compromise.\n\nThe Transparent Inter Process Communication (TIPC) is a protocol that is specially designed for intra-cluster communication. It can be configured to transmit messages either on UDP or directly across Ethernet. Message delivery is sequence guaranteed, loss free and flow controlled. Disabling TIPC protects the system against exploitation of any flaws in its implementation.", "checktext": "Verify that Ubuntu 22.04 disables the ability to load the tipc kernel module with the following command:\n\n$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d/*\n\ninstall tipc /bin/false\nblacklist tipc\n\nIf the command does not return any output, or the lines are commented out, and use of tipc is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.", "fixtext": "To configure the system to prevent the tipc kernel module from being loaded, add the following lines to the file  /etc/modprobe.d/tipc.conf (or create tipc.conf if it does not exist):\n\ninstall tipc /bin/false\nblacklist tipc"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable TIPC Support", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml", "template": {"name": "kernel_module_disabled", "vars": {"kernmodule": "tipc"}, "backends": {}}}