1.1.1.1 Ensure mounting of cramfs filesystems is disabled - blacklist

Information

The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.

Rationale:

Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

Solution

Run the following script to disable cramfs:

#!/usr/bin/env bash

{
l_mname='cramfs' # set module name
if ! modprobe -n -v '$l_mname' | grep -P -- '^h*install /bin/(true|false)'; then
echo -e ' - setting module: '$l_mname' to be not loadable'
echo -e 'install $l_mname /bin/false' >> /etc/modprobe.d/'$l_mname'.conf
fi
if lsmod | grep '$l_mname' > /dev/null 2>&1; then
echo -e ' - unloading module '$l_mname''
modprobe -r '$l_mname'
fi
if ! grep -Pq -- '^h*blacklisth+$l_mnameb' /etc/modprobe.d/*; then
echo -e ' - deny listing '$l_mname''
echo -e 'blacklist $l_mname' >> /etc/modprobe.d/'$l_mname'.conf
fi
}

See Also

https://workbench.cisecurity.org/files/4068

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: dbe8c33f9830ce3a6ab966544337e6eb7cdfb240bf570708f2287ac327de781f