1.1.1.1 Ensure mounting of cramfs filesystems is disabled - blacklist

Information

The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.

Rationale:

Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

Solution

Edit or create a file in the /etc/modprobe.d/ directory ending in .conf with a line that reads install cramfs /bin/false and a line the reads blacklist cramfs.
Example:

# printf 'install cramfs /bin/false
blacklist cramfs
' >> /etc/modprobe.d/cramfs.conf

Run the following command to unload the cramfs module:

# modprobe -r cramfs

Additional Information:

NIST SP 800-53 Rev. 5:

CM-7

See Also

https://workbench.cisecurity.org/files/3939

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: efac81163f25a7b9d02243e1d25a975e6ce754bc55acf6a8eb0a19689a35fd0f