Profile Applicability:
• Level 2
Description:
The Datagram Congestion Control Protocol (DCCP) kernel module provides support for a message-oriented transport layer protocol. If not required, disabling or removing the DCCP module reduces the system’s attack surface and limits exposure to less commonly used network protocols that might be exploited.
Rationale:
Disabling unused kernel modules like DCCP helps harden the system by minimizing available kernel components, reducing potential vulnerabilities.
Impact:
Pros:
Decreases attack surface by removing unnecessary protocol support.
Limits exposure to potential exploits targeting DCCP.
Cons:
May affect applications that rely on DCCP (rare).
Default Value:
DCCP kernel module is often included but may not be loaded by default.
Pre-requisites:
Root or sudo privileges to manage kernel modules.
Remediation:
Test Plan:
Using Linux command line:
Check if DCCP module is loaded:
lsmod | grep dccp
Confirm that the DCCP module is not loaded.
Implementation Plan:
Using Linux command line:
Remove DCCP module from the running kernel:
modprobe -r dccp
Prevent module from loading on boot by adding it to blacklist:
echo "blacklist dccp" >> /etc/modprobe.d/blacklist.conf
Update initial ramdisk (if required):
dracut -f
Backout Plan:
Using Linux command line:
Remove the blacklist entry to allow module loading:
sed -i '/blacklist dccp/d' /etc/modprobe.d/blacklist.conf
Reload the module if needed:
modprobe dccp
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Linux Kernel Module Documentation