iCompaas Support

Profile Applicability:
 • Level 2

Description:
 The Reliable Datagram Sockets (RDS) kernel module provides a high-performance, low-latency communication protocol for cluster environments. If not required, disabling or removing the RDS module reduces the system's attack surface by limiting unnecessary kernel components.

Rationale:
 Disabling unused kernel modules like RDS helps harden the system by minimizing available kernel functionality and potential vulnerabilities.

Impact:
 Pros:

• Reduces attack surface by removing unused kernel protocol support.
  

• Limits exposure to potential exploits targeting RDS.
  

Cons:

• May impact applications relying on RDS (rare in typical environments).
  

Default Value:
 RDS kernel module may be present but is often not loaded by default.

Pre-requisites:

• Root or sudo privileges to manage kernel modules.
  

Remediation:

Test Plan:

Using Linux command line:

1. Check if RDS module is loaded:

lsmod | grep rds

2. Confirm that the RDS module is not loaded.

Implementation Plan:

Using Linux command line:

1. Remove RDS module from the running kernel:

modprobe -r rds

2. Prevent RDS module from loading on boot by blacklisting it:

echo "blacklist rds" >> /etc/modprobe.d/blacklist.conf

3. Update initial ramdisk if necessary:

dracut -f

Backout Plan:

Using Linux command line:

1. Remove blacklist entry to allow module loading:

sed -i '/blacklist rds/d' /etc/modprobe.d/blacklist.conf

2. Load RDS module if needed:

modprobe rds

References:

• CIS Amazon Linux 2 Benchmark v3.0.0
  

• Linux Kernel Module Documentation