Revert "CIS compliance (modprobe.d)"
This reverts commit d87f461319b5b7c2dbb6d4160773c9d4abf046f3.
Change-Id: If175b29f2e130ecf5041e7b0be20f15485089ffa
diff --git a/metadata/service/system/cis/cis-1-1-1-1.yml b/metadata/service/system/cis/cis-1-1-1-1.yml
deleted file mode 100644
index 2331a54..0000000
--- a/metadata/service/system/cis/cis-1-1-1-1.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-# 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
-#
-# Description
-# ===========
-# The cramfs filesystem type is a compressed read-only Linux filesystem
-# embedded in small footprint systems. A cramfs image can be used without
-# having to first decompress the image.
-#
-# Rationale
-# =========
-# Removing support for unneeded filesystem types reduces the local attack
-# surface of the server. If this filesystem type is not needed, disable it.
-#
-# Audit
-# =====
-# Run the following commands and verify the output is as indicated:
-#
-# # modprobe -n -v cramfs
-# install /bin/true
-# # lsmod | grep cramfs
-# <No output>
-#
-# Remediation
-# ===========
-# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
-#
-# install cramfs /bin/true
-#
-parameters:
- linux:
- system:
- kernel:
- module:
- cramfs:
- install:
- command: /bin/true
-
diff --git a/metadata/service/system/cis/cis-1-1-1-2.yml b/metadata/service/system/cis/cis-1-1-1-2.yml
deleted file mode 100644
index f84b56f..0000000
--- a/metadata/service/system/cis/cis-1-1-1-2.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-# 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
-#
-# Description
-# ===========
-# The freevxfs filesystem type is a free version of the Veritas type
-# filesystem. This is the primary filesystem type for HP-UX operating systems.
-#
-# Rationale
-# =========
-# Removing support for unneeded filesystem types reduces the local attack
-# surface of the system. If this filesystem type is not needed, disable it.
-#
-# Audit
-# =====
-# Run the following commands and verify the output is as indicated:
-#
-# # modprobe -n -v freevxfs
-# install /bin/true
-# # lsmod | grep freevxfs
-# <No output>
-#
-# Remediation
-# ===========
-# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
-#
-# install freevxfs /bin/true
-#
-parameters:
- linux:
- system:
- kernel:
- module:
- freevxfs:
- install:
- command: /bin/true
-
diff --git a/metadata/service/system/cis/cis-1-1-1-3.yml b/metadata/service/system/cis/cis-1-1-1-3.yml
deleted file mode 100644
index 91390b5..0000000
--- a/metadata/service/system/cis/cis-1-1-1-3.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-# 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
-#
-# Description
-# ===========
-# The jffs2 (journaling flash filesystem 2) filesystem type is a
-# log-structured filesystem used in flash memory devices.
-#
-# Rationale
-# =========
-# Removing support for unneeded filesystem types reduces the local attack
-# surface of the system. If this filesystem type is not needed, disable it.
-#
-# Audit
-# =====
-# Run the following commands and verify the output is as indicated:
-#
-# # modprobe -n -v jffs2
-# install /bin/true
-# # lsmod | grep jffs2
-# <No output>
-#
-# Remediation
-# ===========
-# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
-#
-# install jffs2 /bin/true
-#
-parameters:
- linux:
- system:
- kernel:
- module:
- jffs2:
- install:
- command: /bin/true
-
diff --git a/metadata/service/system/cis/cis-1-1-1-4.yml b/metadata/service/system/cis/cis-1-1-1-4.yml
deleted file mode 100644
index c246ad2..0000000
--- a/metadata/service/system/cis/cis-1-1-1-4.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-# 1.1.1.4 Ensure mounting of hfs filesystems is disabled
-#
-# Description
-# ===========
-# The hfs filesystem type is a hierarchical filesystem that allows
-# you to mount Mac OS filesystems.
-#
-# Rationale
-# =========
-# Removing support for unneeded filesystem types reduces the local attack
-# surface of the system. If this filesystem type is not needed, disable it.
-#
-# Audit
-# =====
-# Run the following commands and verify the output is as indicated:
-#
-# # modprobe -n -v hfs
-# install /bin/true
-# # lsmod | grep hfs
-# <No output>
-#
-# Remediation
-# ===========
-# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
-#
-# install hfs /bin/true
-#
-parameters:
- linux:
- system:
- kernel:
- module:
- hfs:
- install:
- command: /bin/true
-
diff --git a/metadata/service/system/cis/cis-1-1-1-5.yml b/metadata/service/system/cis/cis-1-1-1-5.yml
deleted file mode 100644
index e258052..0000000
--- a/metadata/service/system/cis/cis-1-1-1-5.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-# 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
-#
-# Description
-# ===========
-# The hfsplus filesystem type is a hierarchical filesystem designed to
-# replace hfs that allows you to mount Mac OS filesystems.
-#
-# Rationale
-# =========
-# Removing support for unneeded filesystem types reduces the local attack
-# surface of the system. If this filesystem type is not needed, disable it.
-#
-# Audit
-# =====
-# Run the following commands and verify the output is as indicated:
-#
-# # modprobe -n -v hfsplus
-# install /bin/true
-# # lsmod | grep hfsplus
-# <No output>
-#
-# Remediation
-# ===========
-# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
-#
-# install hfsplus /bin/true
-#
-parameters:
- linux:
- system:
- kernel:
- module:
- hfsplus:
- install:
- command: /bin/true
-
diff --git a/metadata/service/system/cis/cis-1-1-1-6.yml b/metadata/service/system/cis/cis-1-1-1-6.yml
deleted file mode 100644
index 50cb529..0000000
--- a/metadata/service/system/cis/cis-1-1-1-6.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-# 1.1.1.6 Ensure mounting of squashfs filesystems is disabled
-#
-# Description
-# ===========
-# The squashfs filesystem type is a compressed read-only Linux filesystem
-# embedded in small footprint systems (similar to cramfs). A squashfs image
-# can be used without having to first decompress the image.
-#
-# Rationale
-# =========
-# Removing support for unneeded filesystem types reduces the local attack
-# surface of the server. If this filesystem type is not needed, disable it.
-#
-# Audit
-# =====
-# Run the following commands and verify the output is as indicated:
-#
-# # modprobe -n -v squashfs
-# install /bin/true
-# # lsmod | grep squashfs
-# <No output>
-#
-# Remediation
-# ===========
-# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
-#
-# install squashfs /bin/true
-#
-parameters:
- linux:
- system:
- kernel:
- module:
- squashfs:
- install:
- command: /bin/true
-
diff --git a/metadata/service/system/cis/cis-1-1-1-7.yml b/metadata/service/system/cis/cis-1-1-1-7.yml
deleted file mode 100644
index 0102220..0000000
--- a/metadata/service/system/cis/cis-1-1-1-7.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-# 1.1.1.7 Ensure mounting of udf filesystems is disabled
-#
-# Description
-# ===========
-# The udf filesystem type is the universal disk format used to implement
-# ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem
-# type for data storage on a broad range of media. This filesystem type is
-# necessary to support writing DVDs and newer optical disc formats.
-#
-# Rationale
-# =========
-# Removing support for unneeded filesystem types reduces the local attack
-# surface of the server. If this filesystem type is not needed, disable it.
-#
-# Audit
-# =====
-# Run the following commands and verify the output is as indicated:
-#
-# # modprobe -n -v udf
-# install /bin/true
-# # lsmod | grep udf
-# <No output>
-#
-# Remediation
-# ===========
-# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
-#
-# install udf /bin/true
-#
-parameters:
- linux:
- system:
- kernel:
- module:
- udf:
- install:
- command: /bin/true
-
diff --git a/metadata/service/system/cis/cis-1-1-1-8.yml b/metadata/service/system/cis/cis-1-1-1-8.yml
deleted file mode 100644
index b0cdcd7..0000000
--- a/metadata/service/system/cis/cis-1-1-1-8.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-# 1.1.1.8 Ensure mounting of FAT filesystems is disabled
-#
-# Description
-# ===========
-# The FAT filesystem format is primarily used on older windows systems and
-# portable USB drives or flash modules. It comes in three types FAT12, FAT16,
-# and FAT32 all of which are supported by the vfat kernel module.
-#
-# Rationale
-# =========
-# Removing support for unneeded filesystem types reduces the local attack
-# surface of the server. If this filesystem type is not needed, disable it.
-#
-# Audit
-# =====
-# Run the following commands and verify the output is as indicated:
-#
-# # modprobe -n -v vfat
-# install /bin/true
-# # lsmod | grep vfat
-# <No output>
-#
-# Remediation
-# ===========
-#
-# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
-#
-# install vfat /bin/true
-#
-# Impact
-# ======
-# FAT filesystems are often used on portable USB sticks and other flash
-# media are commonly used to transfer files between workstations, removing
-# VFAT support may prevent the ability to transfer files in this way.
-#
-parameters:
- linux:
- system:
- kernel:
- module:
- vfat:
- install:
- command: /bin/true
-
diff --git a/metadata/service/system/cis/cis-3-5-1.yml b/metadata/service/system/cis/cis-3-5-1.yml
deleted file mode 100644
index 20a24b7..0000000
--- a/metadata/service/system/cis/cis-3-5-1.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-# 3.5.2 Ensure SCTP is disabled
-#
-# Description
-# ===========
-# The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol
-# that supports streaming media and telephony. DCCP provides a way to gain
-# access to congestion control, without having to do it at the application
-# layer, but does not provide in-sequence delivery.
-#
-# Rationale
-# =========
-# If the protocol is not required, it is recommended that the drivers not be
-# installed to reduce the potential attack surface.
-#
-# Audit
-# =====
-# Run the following commands and verify the output is as indicated:
-#
-# # modprobe -n -v dccp
-# install /bin/true
-# # lsmod | grep dccp
-# <No output>
-#
-# Remediation
-# ===========
-# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
-#
-# install dccp /bin/true
-#
-parameters:
- linux:
- system:
- kernel:
- module:
- dccp:
- install:
- command: /bin/true
-
diff --git a/metadata/service/system/cis/cis-3-5-2.yml b/metadata/service/system/cis/cis-3-5-2.yml
deleted file mode 100644
index 0207eb9..0000000
--- a/metadata/service/system/cis/cis-3-5-2.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-# 3.5.2 Ensure SCTP is disabled
-#
-# Description
-# ===========
-# The Stream Control Transmission Protocol (SCTP) is a transport layer
-# protocol used to support message oriented communication, with several
-# streams of messages in one connection. It serves a similar function as
-# TCP and UDP, incorporating features of both. It is message-oriented
-# like UDP, and ensures reliable in-sequence transport of messages with
-# congestion control like TCP.
-#
-# Rationale
-# =========
-# If the protocol is not being used, it is recommended that kernel module
-# not be loaded, disabling the service to reduce the potential attack surface.
-#
-# Audit
-# =====
-# Run the following commands and verify the output is as indicated:
-#
-# # modprobe -n -v sctp
-# install /bin/true
-# # lsmod | grep sctp
-# <No output>
-#
-# Remediation
-# ===========
-#
-# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
-#
-# install sctp /bin/true
-#
-parameters:
- linux:
- system:
- kernel:
- module:
- sctp:
- install:
- command: /bin/true
-
diff --git a/metadata/service/system/cis/cis-3-5-3.yml b/metadata/service/system/cis/cis-3-5-3.yml
deleted file mode 100644
index 723de8b..0000000
--- a/metadata/service/system/cis/cis-3-5-3.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-# 3.5.3 Ensure RDS is disabled
-#
-# Description
-# ===========
-# The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol
-# designed to provide low-latency, high-bandwidth communications between
-# cluster nodes. It was developed by the Oracle Corporation.
-#
-# Rationale
-# =========
-# If the protocol is not being used, it is recommended that kernel module
-# not be loaded, disabling the service to reduce the potential attack surface.
-#
-# Audit
-# =====
-# Run the following commands and verify the output is as indicated:
-#
-# # modprobe -n -v rds
-# install /bin/true
-# # lsmod | grep rds
-# <No output>
-#
-# Remediation
-# ===========
-# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
-#
-# install rds /bin/true
-#
-parameters:
- linux:
- system:
- kernel:
- module:
- rds:
- install:
- command: /bin/true
-
diff --git a/metadata/service/system/cis/cis-3-5-4.yml b/metadata/service/system/cis/cis-3-5-4.yml
deleted file mode 100644
index 6a4920c..0000000
--- a/metadata/service/system/cis/cis-3-5-4.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-# 3.5.4 Ensure TIPC is disabled
-#
-# Description
-# ===========
-# The Transparent Inter-Process Communication (TIPC) protocol is designed
-# to provide communication between cluster nodes.
-#
-# Rationale
-# =========
-# If the protocol is not being used, it is recommended that kernel module
-# not be loaded, disabling the service to reduce the potential attack surface.
-#
-# Audit
-# =====
-# Run the following commands and verify the output is as indicated:
-#
-# # modprobe -n -v tipc
-# install /bin/true
-# # lsmod | grep tipc
-# <No output>
-#
-# Remediation
-# ===========
-#
-# Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
-#
-# install tipc /bin/true
-#
-parameters:
- linux:
- system:
- kernel:
- module:
- tipc:
- install:
- command: /bin/true
-
diff --git a/metadata/service/system/cis/init.yml b/metadata/service/system/cis/init.yml
index f32179a..fa119a2 100644
--- a/metadata/service/system/cis/init.yml
+++ b/metadata/service/system/cis/init.yml
@@ -1,14 +1,2 @@
classes:
-- service.linux.system.cis.cis-1-1-1-1.yml
-- service.linux.system.cis.cis-1-1-1-2.yml
-- service.linux.system.cis.cis-1-1-1-3.yml
-- service.linux.system.cis.cis-1-1-1-4.yml
-- service.linux.system.cis.cis-1-1-1-5.yml
-- service.linux.system.cis.cis-1-1-1-6.yml
-- service.linux.system.cis.cis-1-1-1-7.yml
-- service.linux.system.cis.cis-1-1-1-8.yml
- service.linux.system.cis.cis-3-3-3
-- service.linux.system.cis.cis-3-5-1
-- service.linux.system.cis.cis-3-5-2
-- service.linux.system.cis.cis-3-5-3
-- service.linux.system.cis.cis-3-5-4