7.1.1.21. Least Functionality¶
Whenever possible, SIMP prevents kernel modules that could cause harm or are unnecessary from loading. The operating system’s modprobe blacklist feature is used to stop the following kernel modules from loading:
- bluetooth
- cramfs
- dccp
- dccp_ipv4
- dccp_ipv6
- freevxfs
- hfs
- hfsplus
- ieee1394
- jffs2
- net-pf-31
- rds
- sctp
- squashfs
- tipc
- udf
- usb-storage
Certain applications or application features are also explicitly disabled. The``hosts.equiv`` (part of the r-series of commands) is disabled. Prelinking, which changes binaries to increase startup time, is also disabled.
References: CM-7 : LEAST FUNCTIONALITY