1.1.1.6 Ensure squashfs kernel module is not available

Information

The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A squashfs image can be used without having to first decompress the image.

Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

Solution

Run the following script to unload and disable the udf module:

- IF - the squashfs kernel module is available in ANY installed kernel:

- Create a file ending inconf with install squashfs /bin/false in the /etc/modprobe.d/ directory
- Create a file ending inconf with blacklist squashfs in the /etc/modprobe.d/ directory
- Run modprobe -r squashfs 2>/dev/null; rmmod squashfs 2>/dev/null to remove squashfs from the kernel

- IF - the squashfs kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary

#!/usr/bin/env bash

{
unset a_output2; l_output3="" l_dl="" # unset arrays and clear variables
l_mod_name="squashfs" # set module name
l_mod_type="fs" # set module type
l_mod_path="$(readlink -f /lib/modules/**/kernel/$l_mod_type | sort -u)"
f_module_fix()
{
l_dl="y" # Set to ignore duplicate checks
a_showconfig=() # Create array with modprobe output
while IFS= read -r l_showconfig; do
a_showconfig+=("$l_showconfig")
done < <(modprobe --showconfig | grep -P -- 'b(install|blacklist)h+'"${l_mod_name//-/_}"'b')
if lsmod | grep "$l_mod_name" &amp;> /dev/null; then # Check if the module is currently loaded
a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
modprobe -r "$l_mod_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
fi
if ! grep -Pq -- 'binstallh+'"${l_mod_name//-/_}"'h+/bin/(true|false)b' <<< "${a_showconfig[*]}"; then
a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"/bin/false\"")
printf '%s
' "install $l_mod_name /bin/false" >> /etc/modprobe.d/"$l_mod_name".conf
fi
if ! grep -Pq -- 'bblacklisth+'"${l_mod_name//-/_}"'b' <<< "${a_showconfig[*]}"; then
a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
printf '%s
' "blacklist $l_mod_name" >> /etc/modprobe.d/"$l_mod_name".conf
fi
}
for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
if [ -d "$l_mod_base_directory/${l_mod_name/-//}" ] &amp;&amp; [ -n "$(ls -A $l_mod_base_directory/${l_mod_name/-//})" ]; then
l_output3="$l_output3
- \"$l_mod_base_directory\""
[[ "$l_mod_name" =~ overlay ]] &amp;&amp; l_mod_name="${l_mod_name::-2}"
[ "$l_dl" != "y" ] &amp;&amp; f_module_fix
else
echo -e " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
fi
done
[ -n "$l_output3" ] &amp;&amp; echo -e "

-- INFO --
- module: \"$l_mod_name\" exists in:$l_output3"
[ "${#a_output2[@]}" -gt 0 ] &amp;&amp; printf '%s
' "${a_output2[@]}"
echo -e "
- remediation of kernel module: \"$l_mod_name\" complete
"
}

Impact:

As Snap packages utilize squashfs as a compressed filesystem, disabling squashfs will cause Snap packages to fail.

Snap application packages of software are self-contained and work across a range of Linux distributions. This is unlike traditional Linux package management approaches, like APT or RPM, which require specifically adapted packages per Linux distribution on an application update and delay therefore application deployment from developers to their software's end-user. Snaps themselves have no dependency on any external store ("App store"), can be obtained from any source and can be therefore used for upstream software deployment.

See Also

https://workbench.cisecurity.org/benchmarks/18211

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 5e6e8860522cbe3dbc95b2be2a28c09a98d14d6b437e16fa9d1e62f4d3b1746e