Ensure wireless interfaces are disabled

Description

Wireless networking is used when wired networks are unavailable.

Rationale Statement

IF wireless is not to be used, wireless devices can be disabled to reduce the potential attack surface.

Impact Statement

Many if not all laptop workstations and some desktop workstations will connect via wireless requiring these interfaces be enabled.

Audit Procedure

Run the following script to verify no wireless interfaces are active on the system: 

   1 #!/usr/bin/env bash
   2 
   3 {
   4    l_output="" l_output2=""
   5    module_chk()
   6    {
   7       # Check how module will be loaded
   8       l_loadable="$(modprobe -n -v "$l_mname")"
   9       if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
  10          l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\""
  11       else
  12          l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\""
  13       fi
  14       # Check is the module currently loaded
  15       if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
  16          l_output="$l_output\n - module: \"$l_mname\" is not loaded"
  17       else
  18          l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
  19       fi
  20       # Check if the module is deny listed
  21       if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then
  22          l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
  23       else
  24          l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
  25       fi
  26    }
  27    if [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then
  28       l_dname=$(for driverdir in $(find /sys/class/net/*/ -type d -name wireless | xargs -0 dirname); do basename "$(readlink -f "$driverdir"/device/driver/module)";done | sort -u)
  29       for l_mname in $l_dname; do
  30          module_chk
  31       done
  32    fi
  33    # Report results. If no failures output in l_output2, we pass
  34    if [ -z "$l_output2" ]; then
  35       echo -e "\n- Audit Result:\n  ** PASS **"
  36       if [ -z "$l_output" ]; then
  37          echo -e "\n - System has no wireless NICs installed"
  38       else
  39          echo -e "\n$l_output\n"
  40       fi
  41    else
  42       echo -e "\n- Audit Result:\n  ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n"
  43       [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
  44    fi
  45 }

Remediation Procedure

Run the following script to disable any wireless interfaces: 

   1 #!/usr/bin/env bash
   2 
   3 {
   4    module_fix()
   5    {
   6       if ! modprobe -n -v "$l_mname" | grep -P -- '^\h*install \/bin\/(true|false)'; then
   7          echo -e " - setting module: \"$l_mname\" to be un-loadable"
   8          echo -e "install $l_mname /bin/false" >> /etc/modprobe.d/"$l_mname".conf
   9       fi
  10       if lsmod | grep "$l_mname" > /dev/null 2>&1; then
  11          echo -e " - unloading module \"$l_mname\""
  12          modprobe -r "$l_mname"
  13       fi
  14       if ! grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then
  15          echo -e " - deny listing \"$l_mname\""
  16          echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mname".conf
  17       fi
  18    }
  19    if [ -n "$(find /sys/class/net/*/ -type d -name wireless)" ]; then
  20       l_dname=$(for driverdir in $(find /sys/class/net/*/ -type d -name wireless | xargs -0 dirname); do basename "$(readlink -f "$driverdir"/device/driver/module)";done | sort -u)
  21       for l_mname in $l_dname; do
  22          module_fix
  23       done
  24    fi
  25 }

MuhammadMoinurRahman/CIS/GUIDE312 (last edited 2024-03-04T16:20:13+0000 by MuhammadMoinurRahman)