Detections
Analytics

1.1.1.6 Ensure squashfs kernel module is not available

Information

The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A squashfs image can be used without having to first decompress the image.

Rationale:

Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

Impact:

As Snap packages utilizes squashfs as a compressed filesystem, disabling squashfs will cause Snap packages to fail.

Snap application packages of software are self-contained and work across a range of Linux distributions. This is unlike traditional Linux package management approaches, like APT or RPM, which require specifically adapted packages per Linux distribution on an application update and delay therefore application deployment from developers to their software's end-user. Snaps themselves have no dependency on any external store ('App store'), can be obtained from any source and can be therefore used for upstream software deployment.

Solution

Run the following script to disable the squashfs module:
-IF- the module is available in the running kernel:

Create a file ending in .conf with install squashfs /bin/false in the /etc/modprobe.d/ directory

Create a file ending in .conf with blacklist squashfs in the /etc/modprobe.d/ directory

Unload squashfs from the kernel

-IF- available in ANY installed kernel:

Create a file ending in .conf with blacklist squashfs in the /etc/modprobe.d/ directory

-IF- the kernel module is not available on the system or pre-compiled into the kernel:

No remediation is necessary

#!/usr/bin/env bash

{
 l_mname='squashfs' # set module name
 l_mtype='fs' # set module type
 l_mpath='/lib/modules/**/kernel/$l_mtype'
 l_mpname='$(tr '-' '_' <<< '$l_mname')'
 l_mndir='$(tr '-' '/' <<< '$l_mname')'

 module_loadable_fix()
 {
 # If the module is currently loadable, add 'install {MODULE_NAME} /bin/false' to a file in '/etc/modprobe.d'
 l_loadable='$(modprobe -n -v '$l_mname')'
 [ '$(wc -l <<< '$l_loadable')' -gt '1' ] && l_loadable='$(grep -P -- '(^h*install|b$l_mname)b' <<< '$l_loadable')'
 if ! grep -Pq -- '^h*install /bin/(true|false)' <<< '$l_loadable'; then
 echo -e '
 - setting module: '$l_mname' to be not loadable'
 echo -e 'install $l_mname /bin/false' >> /etc/modprobe.d/'$l_mpname'.conf
 fi
 }
 module_loaded_fix()
 {
 # If the module is currently loaded, unload the module
 if lsmod | grep '$l_mname' > /dev/null 2>&1; then
 echo -e '
 - unloading module '$l_mname''
 modprobe -r '$l_mname'
 fi
 }
 module_deny_fix()
 {
 # If the module isn't deny listed, denylist the module
 if ! modprobe --showconfig | grep -Pq -- '^h*blacklisth+$l_mpnameb'; then
 echo -e '
 - deny listing '$l_mname''
 echo -e 'blacklist $l_mname' >> /etc/modprobe.d/'$l_mpname'.conf
 fi
 }
 # Check if the module exists on the system
 for l_mdir in $l_mpath; do
 if [ -d '$l_mdir/$l_mndir' ] && [ -n '$(ls -A $l_mdir/$l_mndir)' ]; then
 echo -e '
 - module: '$l_mname' exists in '$l_mdir'
 - checking if disabled...'
 module_deny_fix
 if [ '$l_mdir' = '/lib/modules/$(uname -r)/kernel/$l_mtype' ]; then
 module_loadable_fix
 module_loaded_fix
 fi
 else
 echo -e '
 - module: '$l_mname' doesn't exist in '$l_mdir'
'
 fi
 done
 echo -e '
 - remediation of module: '$l_mname' complete
'
}

See Also

https://workbench.cisecurity.org/benchmarks/15288

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: af7a6db706a2192b676274c5738065711043df8b7629ef0f3df184dbe9d4d0bf