1.1.1.1 Ensure mounting of cramfs filesystems is disabled - blacklist

Information

The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.

Rationale:

Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

Solution

Edit or create a file in the /etc/modprobe.d/ directory ending in .conf with a line that reads install cramfs /bin/false and a line the reads blacklist cramfs.
Example:

# printf 'install cramfs /bin/false
blacklist cramfs
' >> /etc/modprobe.d/cramfs.conf

Run the following command to unload the cramfs module:

# modprobe -r cramfs

Additional Information:

NIST SP 800-53 Rev. 5:

CM-7

See Also

https://workbench.cisecurity.org/files/3939

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: f3cae7b556a6f7fded53a94070de30fbc11d10fa2dd57407c5b10f720ba9a11b