1.1.1.6 Ensure squashfs kernel module is not available

Information

The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A squashfs image can be used without having to first decompress the image.

Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

Solution

Run the following script to disable the squashfs module:

-IF- the module is available in the running kernel:

- Create a file ending inconf with install squashfs /bin/false in the /etc/modprobe.d/ directory
- Create a file ending inconf with blacklist squashfs in the /etc/modprobe.d/ directory
- Unload squashfs from the kernel

-IF- available in ANY installed kernel:

- Create a file ending inconf with blacklist squashfs in the /etc/modprobe.d/ directory

-IF- the kernel module is not available on the system or pre-compiled into the kernel:

- No remediation is necessary

#!/usr/bin/env bash

{
l_mname="squashfs" # set module name
l_mtype="fs" # set module type
l_mpath="/lib/modules/**/kernel/$l_mtype"
l_mpname="$(tr '-' '_' <<< "$l_mname")"
l_mndir="$(tr '-' '/' <<< "$l_mname")"

module_loadable_fix()
{
# If the module is currently loadable, add "install {MODULE_NAME} /bin/false" to a file in "/etc/modprobe.d"
l_loadable="$(modprobe -n -v "$l_mname")"
[ "$(wc -l <<< "$l_loadable")" -gt "1" ] &amp;&amp; l_loadable="$(grep -P -- "(^h*install|b$l_mname)b" <<< "$l_loadable")"
if ! grep -Pq -- '^h*install /bin/(true|false)' <<< "$l_loadable"; then
echo -e "
- setting module: \"$l_mname\" to be not loadable"
echo -e "install $l_mname /bin/false" >> /etc/modprobe.d/"$l_mpname".conf
fi
}
module_loaded_fix()
{
# If the module is currently loaded, unload the module
if lsmod | grep "$l_mname" > /dev/null 2>&amp;1; then
echo -e "
- unloading module \"$l_mname\""
modprobe -r "$l_mname"
fi
}
module_deny_fix()
{
# If the module isn't deny listed, denylist the module
if ! modprobe --showconfig | grep -Pq -- "^h*blacklisth+$l_mpnameb"; then
echo -e "
- deny listing \"$l_mname\""
echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mpname".conf
fi
}
# Check if the module exists on the system
for l_mdir in $l_mpath; do
if [ -d "$l_mdir/$l_mndir" ] &amp;&amp; [ -n "$(ls -A $l_mdir/$l_mndir)" ]; then
echo -e "
- module: \"$l_mname\" exists in \"$l_mdir\"
- checking if disabled..."
module_deny_fix
if [ "$l_mdir" = "/lib/modules/$(uname -r)/kernel/$l_mtype" ]; then
module_loadable_fix
module_loaded_fix
fi
else
echo -e "
- module: \"$l_mname\" doesn't exist in \"$l_mdir\"
"
fi
done
echo -e "
- remediation of module: \"$l_mname\" complete
"
}

Impact:

As Snap packages utilizes squashfs as a compressed filesystem, disabling squashfs will cause Snap packages to fail.

Snap application packages of software are self-contained and work across a range of Linux distributions. This is unlike traditional Linux package management approaches, like APT or RPM, which require specifically adapted packages per Linux distribution on an application update and delay therefore application deployment from developers to their software's end-user. Snaps themselves have no dependency on any external store ("App store"), can be obtained from any source and can be therefore used for upstream software deployment.

See Also

https://workbench.cisecurity.org/benchmarks/15964