Detections
Analytics

1.1.1.3 Ensure hfs kernel module is not available

Information

The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems.

Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

Solution

Run the following to unload and disable the hfs kernel module. This can also be done by running the script included below.

Run the following commands to unload the hfs kernel module:

# modprobe -r hfs 2>/dev/null
# rmmod hfs 2>/dev/null

Perform the following to disable the hfs kernel module:

Create a file ending inconf with install hfs /bin/false in the /etc/modprobe.d/ directory

Example:

# printf '\n%s\n' "install hfs /bin/false" >> hfs.conf

Create a file ending inconf with blacklist hfs in the /etc/modprobe.d/ directory

Example:

# printf '\n%s\n' "blacklist hfs" >> hfs.conf

Optional remediation script:

This script will perform the above remediation as required by the system

#!/usr/bin/env bash

{
 a_output2=() a_output3=() l_dl="" l_mod_name="hfs" l_mod_type="fs"
 l_mod_path="$(readlink -f /usr/lib/modules/**/kernel/$l_mod_type || readlink -f /lib/modules/**/kernel/$l_mod_type)"
 f_module_fix()
 {
 l_dl="y" a_showconfig=()
 while IFS= read -r l_showconfig; do
 a_showconfig+=("$l_showconfig")
 done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_chk_name//-/_}"'\b')
 if lsmod | grep "$l_mod_chk_name" &> /dev/null; then
 a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
 modprobe -r "$l_mod_chk_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
 fi
 if ! grep -Pq -- '\binstall\h+'"${l_mod_chk_name//-/_}"'\h+(\/usr)?\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
 a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"$(readlink -f /bin/false)\"")
 printf '%s\n' "install $l_mod_chk_name $(readlink -f /bin/false)" >> /etc/modprobe.d/"$l_mod_name".conf
 fi
 if ! grep -Pq -- '\bblacklist\h+'"${l_mod_chk_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
 a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
 printf '%s\n' "blacklist $l_mod_chk_name" >> /etc/modprobe.d/"$l_mod_name".conf
 fi
 }
 for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
 if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A "$l_mod_base_directory/${l_mod_name/-/\/}")" ]; then
 a_output3+=(" - \"$l_mod_base_directory\"")
 l_mod_chk_name="$l_mod_name"
 [[ "$l_mod_name" =~ overlay ]] && l_mod_chk_name="${l_mod_name::-2}"
 [ "$l_dl" != "y" ] && f_module_fix
 else
 printf '%s\n' " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
 fi
 done
 [ "${#a_output3[@]}" -gt 0 ] && printf '%s\n' "" " -- INFO --" " - module: \"$l_mod_name\" exists in:" "${a_output3[@]}"
 [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "" "${a_output2[@]}" || printf '%s\n' "" " - No changes needed"
 printf '%s\n' "" " - remediation of kernel module: \"$l_mod_name\" complete" ""
}

See Also

https://workbench.cisecurity.org/benchmarks/21095

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 9f2b235edf93b1f1f1bdb1514c669315d088b4f9195481409907bc4ba3ecb349