Detections
Analytics

1.1.1.6 Ensure overlay kernel module is not available

Information

overlay is a Linux filesystem that layers multiple filesystems to create a single unified view which allows a user to "merge" several mount points into a unified filesystem.

The overlay has known CVE's: CVE-2023-32629, CVE-2023-2640, CVE-2023-0386. Disabling the overlay reduces the local attack surface by removing support for unnecessary filesystem types and mitigates potential risks associated with unauthorized execution of setuid files, enhancing the overall system security.

Solution

Run the following to unload and disable the overlay kernel module. This can also be done by running the script included below.

Run the following commands to unload the overlay kernel module:

# modprobe -r overlay 2>/dev/null
# rmmod overlay 2>/dev/null

Perform the following to disable the overlay kernel module:

Create a file ending inconf with install overlay /bin/false in the /etc/modprobe.d/ directory

Example:

# printf '\n%s\n' "install overlay /bin/false" >> overlay.conf

Create a file ending inconf with blacklist overlay in the /etc/modprobe.d/ directory

Example:

# printf '\n%s\n' "blacklist overlay" >> overlay.conf

Optional remediation script:

This script will perform the above remediation as required by the system

#!/usr/bin/env bash

{
 a_output2=() a_output3=() l_dl="" l_mod_name="overlayfs" l_mod_type="fs"
 l_mod_path="$(readlink -f /usr/lib/modules/**/kernel/$l_mod_type || readlink -f /lib/modules/**/kernel/$l_mod_type)"
 f_module_fix()
 {
 l_dl="y" a_showconfig=()
 while IFS= read -r l_showconfig; do
 a_showconfig+=("$l_showconfig")
 done < <(modprobe --showconfig | grep -P -- '\b(install|blacklist)\h+'"${l_mod_chk_name//-/_}"'\b')
 if lsmod | grep "$l_mod_chk_name" &> /dev/null; then
 a_output2+=(" - unloading kernel module: \"$l_mod_chk_name\"")
 modprobe -r "$l_mod_chk_name" 2>/dev/null; rmmod "$l_mod_chk_name" 2>/dev/null
 fi
 if ! grep -Pq -- '\binstall\h+'"${l_mod_chk_name//-/_}"'\h+(\/usr)?\/bin\/(true|false)\b' <<< "${a_showconfig[*]}"; then
 a_output2+=(" - setting kernel module: \"$l_mod_chk_name\" to \"$(readlink -f /bin/false)\"")
 printf '%s\n' "install $l_mod_chk_name $(readlink -f /bin/false)" >> /etc/modprobe.d/"$l_mod_chk_name".conf
 fi
 if ! grep -Pq -- '\bblacklist\h+'"${l_mod_chk_name//-/_}"'\b' <<< "${a_showconfig[*]}"; then
 a_output2+=(" - denylisting kernel module: \"$l_mod_chk_name\"")
 printf '%s\n' "blacklist $l_mod_chk_name" >> /etc/modprobe.d/"$l_mod_chk_name".conf
 fi
 }
 for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
 if [ -d "$l_mod_base_directory/${l_mod_name/-/\/}" ] && [ -n "$(ls -A "$l_mod_base_directory/${l_mod_name/-/\/}")" ]; then
 a_output3+=(" - \"$l_mod_base_directory\"")
 l_mod_chk_name="$l_mod_name"
 [[ "$l_mod_name" =~ overlay ]] && l_mod_chk_name="${l_mod_name::-2}"
 [ "$l_dl" != "y" ] && f_module_fix
 else
 printf '%s\n' " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
 fi
 done
 [ "${#a_output3[@]}" -gt 0 ] && printf '%s\n' "" " -- INFO --" " - module: \"$l_mod_name\" exists in:" "${a_output3[@]}"
 [ "${#a_output2[@]}" -gt 0 ] && printf '%s\n' "" "${a_output2[@]}" || printf '%s\n' "" " - No changes needed"
 printf '%s\n' "" " - remediation of kernel module: \"$l_mod_name\" complete" ""
}

Impact:

WARNING: If Container applications such as Docker, Kubernetes, Podman, Linux Containers (LXC), etc. are in use proceed with caution and consider the impact on containerized workloads, as disabling the overlay may severely disrupt containerization.

See Also

https://workbench.cisecurity.org/benchmarks/21095

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: cb852a75effcc8c78afefce345ea7f8fa38ddae90106e75bd563304023e8224b