Detections
Analytics

1.1.1.6 Ensure overlayfs kernel module is not available

Information

overlayfs is a Linux filesystem that layers multiple filesystems to create a single unified view which allows a user to "merge" several mount points into a unified filesystem.

The overlayfs has known CVE's: CVE-2023-32629, CVE-2023-2640, CVE-2023-0386. Disabling the overlayfs reduces the local attack surface by removing support for unnecessary filesystem types and mitigates potential risks associated with unauthorized execution of setuid files, enhancing the overall system security.

Solution

Run the following script to unload and disable the overlayfs module:

- IF - the overlayfs kernel module is available in ANY installed kernel:

 - Create a file ending inconf with install overlayfs /bin/false in the /etc/modprobe.d/ directory
 - Create a file ending inconf with blacklist overlayfs in the /etc/modprobe.d/ directory
 - Run modprobe -r overlay 2>/dev/null; rmmod overlay 2>/dev/null to remove overlayfs from the kernel

- IF - the overlayfs kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary

#!/usr/bin/env bash

{
 a_output2=() a_output3=() l_dl="" l_mod_name="overlayfs" l_mod_type="fs"
 l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
 f_module_fix()
 {
 l_dl="y" a_showconfig=()
 while IFS= read -r l_showconfig; do
 a_showconfig+=("$l_showconfig")
 done < <(modprobe --showconfig | grep -P -- 'b(install|blacklist)h+'"${l_mod_chk_name//-/_}"'b')
 if lsmod | grep "$l_mod_chk_name" &amp;> /dev/null; then
 a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
 modprobe -r "$l_mod_chk_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
 fi
 if ! grep -Pq -- 'binstallh+'"${l_mod_chk_name//-/_}"'h+(/usr)?/bin/(true|false)b' <<< "${a_showconfig[*]}"; then
 a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"$(readlink -f /bin/false)\"")
 printf '%s
' "install $l_mod_chk_name $(readlink -f /bin/false)" >> /etc/modprobe.d/"$l_mod_name".conf
 fi
 if ! grep -Pq -- 'bblacklisth+'"${l_mod_chk_name//-/_}"'b' <<< "${a_showconfig[*]}"; then
 a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
 printf '%s
' "blacklist $l_mod_chk_name" >> /etc/modprobe.d/"$l_mod_name".conf
 fi
 }
 for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
 if [ -d "$l_mod_base_directory/${l_mod_name/-//}" ] &amp;&amp; [ -n "$(ls -A "$l_mod_base_directory/${l_mod_name/-//}")" ]; then
 a_output3+=(" - \"$l_mod_base_directory\"")
 l_mod_chk_name="$l_mod_name"
 [[ "$l_mod_name" =~ overlay ]] &amp;&amp; l_mod_chk_name="${l_mod_name::-2}"
 [ "$l_dl" != "y" ] &amp;&amp; f_module_fix
 else
 printf '%s
' " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
 fi
 done
 [ "${#a_output3[@]}" -gt 0 ] &amp;&amp; printf '%s
' "" " -- INFO --" " - module: \"$l_mod_name\" exists in:" "${a_output3[@]}"
 [ "${#a_output2[@]}" -gt 0 ] &amp;&amp; printf '%s
' "" "${a_output2[@]}" || printf '%s
' "" " - No changes needed"
 printf '%s
' "" " - remediation of kernel module: \"$l_mod_name\" complete" ""
}

Impact:

WARNING: If Container applications such as Docker, Kubernetes, Podman, Linux Containers (LXC), etc. are in use proceed with caution and consider the impact on containerized workloads, as disabling the overlayfs may severely disrupt containerization.

See Also

https://workbench.cisecurity.org/benchmarks/18960

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 8fe7666072e9d5a88c54bda92dc6b693e2f058955cdd5c55d77fb5b62c288a7a