Detections
Analytics

1.1.1.6 Ensure overlayfs kernel module is not available

Information

overlay is a Linux filesystem that layers multiple filesystems to create a single unified view which allows a user to "merge" several mount points into a unified filesystem.

The overlay has known CVE's: CVE-2023-32629, CVE-2023-2640, CVE-2023-0386. Disabling the overlay reduces the local attack surface by removing support for unnecessary filesystem types and mitigates potential risks associated with unauthorized execution of setuid files, enhancing the overall system security.

Solution

Run the following script to unload and disable the overlay module:

- IF - the overlay kernel module is available in ANY installed kernel:

 - Create a file ending inconf with install overlay /bin/false in the /etc/modprobe.d/ directory
 - Create a file ending inconf with blacklist overlay in the /etc/modprobe.d/ directory
 - Run modprobe -r overlay 2>/dev/null; rmmod overlay 2>/dev/null to remove overlay from the kernel

- IF - the overlay kernel module is not available on the system, or pre-compiled into the kernel, no remediation is necessary

#!/usr/bin/env bash

{
 a_output2=() a_output3=() l_dl="" l_mod_name="overlay" l_mod_type="fs"
 l_mod_path="$(readlink -f /usr/lib/modules/**/kernel/$l_mod_type || readlink -f /lib/modules/**/kernel/$l_mod_type)"
 f_module_fix()
 {
 l_dl="y" a_showconfig=()
 while IFS= read -r l_showconfig; do
 a_showconfig+=("$l_showconfig")
 done < <(modprobe --showconfig | grep -P -- 'b(install|blacklist)h+'"${l_mod_chk_name//-/_}"'b')
 if lsmod | grep "$l_mod_chk_name" &> /dev/null; then
 a_output2+=(" - unloading kernel module: \"$l_mod_name\"")
 modprobe -r "$l_mod_chk_name" 2>/dev/null; rmmod "$l_mod_name" 2>/dev/null
 fi
 if ! grep -Pq -- 'binstallh+'"${l_mod_chk_name//-/_}"'h+(/usr)?/bin/(true|false)b' <<< "${a_showconfig[*]}"; then
 a_output2+=(" - setting kernel module: \"$l_mod_name\" to \"$(readlink -f /bin/false)\"")
 printf '%s
' "install $l_mod_chk_name $(readlink -f /bin/false)" >> /etc/modprobe.d/"$l_mod_name".conf
 fi
 if ! grep -Pq -- 'bblacklisth+'"${l_mod_chk_name//-/_}"'b' <<< "${a_showconfig[*]}"; then
 a_output2+=(" - denylisting kernel module: \"$l_mod_name\"")
 printf '%s
' "blacklist $l_mod_chk_name" >> /etc/modprobe.d/"$l_mod_name".conf
 fi
 }
 for l_mod_base_directory in $l_mod_path; do # Check if the module exists on the system
 if [ -d "$l_mod_base_directory/${l_mod_name/-//}" ] && [ -n "$(ls -A "$l_mod_base_directory/${l_mod_name/-//}")" ]; then
 a_output3+=(" - \"$l_mod_base_directory\"")
 l_mod_chk_name="$l_mod_name"
 [[ "$l_mod_name" =~ overlay ]] && l_mod_chk_name="${l_mod_name::-2}"
 [ "$l_dl" != "y" ] && f_module_fix
 else
 printf '%s
' " - kernel module: \"$l_mod_name\" doesn't exist in \"$l_mod_base_directory\""
 fi
 done
 [ "${#a_output3[@]}" -gt 0 ] && printf '%s
' "" " -- INFO --" " - module: \"$l_mod_name\" exists in:" "${a_output3[@]}"
 [ "${#a_output2[@]}" -gt 0 ] && printf '%s
' "" "${a_output2[@]}" || printf '%s
' "" " - No changes needed"
 printf '%s
' "" " - remediation of kernel module: \"$l_mod_name\" complete" ""
}

Impact:

WARNING: If Container applications such as Docker, Kubernetes, Podman, Linux Containers (LXC), etc. are in use proceed with caution and consider the impact on containerized workloads, as disabling the overlay may severely disrupt containerization.

See Also

https://workbench.cisecurity.org/benchmarks/20333

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: cb852a75effcc8c78afefce345ea7f8fa38ddae90106e75bd563304023e8224b