Detections
Analytics

1.1.1.7 Ensure udf kernel module is not available

Information

The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats.

Rationale:

Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

Impact:

Microsoft Azure requires the usage of udf.

udf should not be disabled on systems run on Microsoft Azure.

Solution

Run the following script to disable the udf module:
-IF- the module is available in the running kernel:

Create a file ending in .conf with install udf /bin/false in the /etc/modprobe.d/ directory

Create a file ending in .conf with blacklist udf in the /etc/modprobe.d/ directory

Unload udf from the kernel

-IF- available in ANY installed kernel:

Create a file ending in .conf with blacklist udf in the /etc/modprobe.d/ directory

-IF- the kernel module is not available on the system or pre-compiled into the kernel:

No remediation is necessary

#!/usr/bin/env bash

{
 l_mname='udf' # set module name
 l_mtype='fs' # set module type
 l_mpath='/lib/modules/**/kernel/$l_mtype'
 l_mpname='$(tr '-' '_' <<< '$l_mname')'
 l_mndir='$(tr '-' '/' <<< '$l_mname')'

 module_loadable_fix()
 {
 # If the module is currently loadable, add 'install {MODULE_NAME} /bin/false' to a file in '/etc/modprobe.d'
 l_loadable='$(modprobe -n -v '$l_mname')'
 [ '$(wc -l <<< '$l_loadable')' -gt '1' ] && l_loadable='$(grep -P -- '(^h*install|b$l_mname)b' <<< '$l_loadable')'
 if ! grep -Pq -- '^h*install /bin/(true|false)' <<< '$l_loadable'; then
 echo -e '
 - setting module: '$l_mname' to be not loadable'
 echo -e 'install $l_mname /bin/false' >> /etc/modprobe.d/'$l_mpname'.conf
 fi
 }
 module_loaded_fix()
 {
 # If the module is currently loaded, unload the module
 if lsmod | grep '$l_mname' > /dev/null 2>&1; then
 echo -e '
 - unloading module '$l_mname''
 modprobe -r '$l_mname'
 fi
 }
 module_deny_fix()
 {
 # If the module isn't deny listed, denylist the module
 if ! modprobe --showconfig | grep -Pq -- '^h*blacklisth+$l_mpnameb'; then
 echo -e '
 - deny listing '$l_mname''
 echo -e 'blacklist $l_mname' >> /etc/modprobe.d/'$l_mpname'.conf
 fi
 }
 # Check if the module exists on the system
 for l_mdir in $l_mpath; do
 if [ -d '$l_mdir/$l_mndir' ] && [ -n '$(ls -A $l_mdir/$l_mndir)' ]; then
 echo -e '
 - module: '$l_mname' exists in '$l_mdir'
 - checking if disabled...'
 module_deny_fix
 if [ '$l_mdir' = '/lib/modules/$(uname -r)/kernel/$l_mtype' ]; then
 module_loadable_fix
 module_loaded_fix
 fi
 else
 echo -e '
 - module: '$l_mname' doesn't exist in '$l_mdir'
'
 fi
 done
 echo -e '
 - remediation of module: '$l_mname' complete
'
}

See Also

https://workbench.cisecurity.org/benchmarks/15288

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: ccba021e7e6b1bbb02f30b6435e1be8d772f3c50aa0f4d1aaeff3d867fc112f2