Puppet Class: cis_security_hardening::rules::disable_dccp

Defined in:
manifests/rules/disable_dccp.pp

Summary

Ensure DCCP is disabled

Overview

The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in- sequence delivery.

Rationale: If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.

Examples:

class { 'cis_security_hardening::rules::disable_dccp':
    enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule



22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 
# File 'manifests/rules/disable_dccp.pp', line 22

class cis_security_hardening::rules::disable_dccp (
  Boolean $enforce = false,
) {
  if $enforce {
    case $facts['os']['name'].downcase() {
      'debian': {
        if $facts['os']['release']['major'] > '10' {
          $command = '/bin/false'
          kmod::blacklist { 'dccp': }
        } else {
          $command = '/bin/true'
        }
      }
      'ubuntu': {
        if $facts['os']['release']['major'] >= '20' {
          $command = '/bin/false'
          kmod::blacklist { 'dccp': }
        } else {
          $command = '/bin/true'
        }
      }
      default: {
        $command = '/bin/true'
      }
    }

    kmod::install { 'dccp':
      command => $command,
    }
  }
}