1.1.1.6 Ensure overlay kernel module is not available

Information

overlay is a Linux filesystem that layers multiple filesystems to create a single unified view which allows a user to "merge" several mount points into a unified filesystem.

The overlay has known CVE's: CVE-2023-32629, CVE-2023-2640, CVE-2023-0386. Disabling the overlay reduces the local attack surface by removing support for unnecessary filesystem types and mitigates potential risks associated with unauthorized execution of setuid files, enhancing the overall system security.

Solution

Run the following to unload and disable the overlay kernel module. This can also be done by running the script included below.

Run the following commands to unload the overlay kernel module:

# modprobe -r overlay 2>/dev/null
# rmmod overlay 2>/dev/null

Perform the following to disable the overlay kernel module:

Create a file ending inconf with install overlay /bin/false in the /etc/modprobe.d/ directory

Example:

# printf '\n%s\n' "install overlay /bin/false" >> overlay.conf

Create a file ending inconf with blacklist overlay in the /etc/modprobe.d/ directory

Example:

# printf '\n%s\n' "blacklist overlay" >> overlay.conf

Optional remediation script:

This script will perform the above remediation as required by the system

#!/usr/bin/env bash

{
a_output2=() a_output3=() l_dl="" l_mod_name="overlayfs" l_mod_type="fs"
l_mod_path="$(readlink -f /usr/lib/modules/**/kernel/$l_mod_type || readlink -f /lib/modules/**/kernel/$l_mod_type)"
f_module_fix()
{
l_dl="y" a_showconfig=()
while IFS= read -r l_showconfig; do
a_showconfig+=("$l_showconfig")
done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_chk_name//-/_}"'\b')
if lsmod | grep "$l_mod_chk_name" &> /dev/null; then
a_output2+=(" - unloading kernel module: \"$l_mod_chk_name\"")
modprobe -r "$l_mod_chk_name" 2>/dev/null; rmmod "$l_mod_chk_name" 2>/dev/null
fi
if ! grep -Pq -- '\binstall\h+'"${l_mod_chk_name//-/_}"'\h+(\/usr)?\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
a_output2+=(" - setting kernel module: \"$l_mod_chk_name\" to \"$(readlink -f /bin/false)\"")
printf '%s\n' "install $l_mod_chk_name $(readlink -f /bin/false)" >> /etc/modprobe.d/"$l_mod_chk_name".conf
fi
if ! grep -Pq -- '\bblacklist\h+'"${l_mod_chk_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
a_output2+=(" - denylisting kernel module: \"$l_mod_chk_name\"")
printf '%s\n' "blacklist $l_mod_chk_name" >> /etc/modprobe.d/"$l_mod_chk_name".conf
fi
}
for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A "$l_mod_base_directory/${l_mod_name/-/\/}")" ]; then
a_output3+=(" - \"$l_mod_base_directory\"")
l_mod_chk_name="$l_mod_name"
[[ "$l_mod_name" =~ overlay ]] && l_mod_chk_name="${l_mod_name::-2}"
[ "$l_dl" != "y" ] && f_module_fix
else
printf '%s\n' " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
fi
done
[ "${#a_output3[@]}" -gt 0 ] && printf '%s\n' "" " -- INFO --" " - module: \"$l_mod_name\" exists in:" "${a_output3[@]}"
[ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "" "${a_output2[@]}" || printf '%s\n' "" " - No changes needed"
printf '%s\n' "" " - remediation of kernel module: \"$l_mod_name\" complete" ""
}

Impact:

WARNING: If Container applications such as Docker, Kubernetes, Podman, Linux Containers (LXC), etc. are in use proceed with caution and consider the impact on containerized workloads, as disabling the overlay may severely disrupt containerization.

See Also

https://workbench.cisecurity.org/benchmarks/21095

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: cb852a75effcc8c78afefce345ea7f8fa38ddae90106e75bd563304023e8224b