1.1.1.1 Ensure cramfs kernel module is not available

Information

The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.

Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

Solution

Run the following script to disable the cramfs module:

-IF- the module is available in the running kernel:

- Create a file ending inconf with install cramfs /bin/false in the /etc/modprobe.d/ directory
- Create a file ending inconf with blacklist cramfs in the /etc/modprobe.d/ directory
- Unload cramfs from the kernel

-IF- available in ANY installed kernel:

- Create a file ending inconf with blacklist cramfs in the /etc/modprobe.d/ directory

-IF- the kernel module is not available on the system or pre-compiled into the kernel:

- No remediation is necessary

#!/usr/bin/env bash

{
l_mname="cramfs" # set module name
l_mtype="fs" # set module type
l_mpath="/lib/modules/**/kernel/$l_mtype"
l_mpname="$(tr '-' '_' <<< "$l_mname")"
l_mndir="$(tr '-' '/' <<< "$l_mname")"

module_loadable_fix()
{
# If the module is currently loadable, add "install {MODULE_NAME} /bin/false" to a file in "/etc/modprobe.d"
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] &amp;&amp; l_loadable="$(grep -P -- "(^h*install|b$l_mname)b" <<< "$l_loadable")"
if ! grep -Pq -- '^h*install /bin/(true|false)' <<< "$l_loadable"; then
echo -e "
- setting module: \"$l_mname\" to be not loadable"
echo -e "install $l_mname /bin/false" >> /etc/modprobe.d/"$l_mpname".conf
fi
}
module_loaded_fix()
{
# If the module is currently loaded, unload the module
if lsmod | grep "$l_mname" > /dev/null 2>&amp;1; then
echo -e "
- unloading module \"$l_mname\""
modprobe -r "$l_mname"
fi
}
module_deny_fix()
{
# If the module isn't deny listed, denylist the module
if ! modprobe --showconfig | grep -Pq -- "^h*blacklisth+$l_mpnameb"; then
echo -e "
- deny listing \"$l_mname\""
echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mpname".conf
fi
}
# Check if the module exists on the system
for l_mdir in $l_mpath; do
if [ -d "$l_mdir/$l_mndir" ] &amp;&amp; [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
echo -e "
- module: \"$l_mname\" exists in \"$l_mdir\"
- checking if disabled..."
module_deny_fix
if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
module_loadable_fix
module_loaded_fix
fi
else
echo -e "
- module: \"$l_mname\" doesn't exist in \"$l_mdir\"
"
fi
done
echo -e "
- remediation of module: \"$l_mname\" complete
"
}

See Also

https://workbench.cisecurity.org/benchmarks/15289

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 294ec7625e305339def0e7aa72f64253bb28a5bf71cb6e6c665e0079711322c7