Disable Mounting of cramfs

Classification:

compliance

Framework:

Control:

Description

To configure the system to prevent the cramfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf:

install cramfs /bin/true

This effectively prevents usage of this uncommon filesystem.

The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.

Rationale

Removing support for unneeded filesystem types reduces the local attack surface of the server.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if LC\_ALL=C grep -q -m 1 "^install cramfs" /etc/modprobe.d/cramfs.conf ; then
 
 sed -i 's#^install cramfs.\*#install cramfs /bin/true#g' /etc/modprobe.d/cramfs.conf
else
 echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cramfs.conf
 echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Ensure kernel module 'cramfs' is disabled
 lineinfile:
 create: true
 dest: /etc/modprobe.d/cramfs.conf
 regexp: install\s+cramfs
 line: install cramfs /bin/true
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - NIST-800-171-3.4.6
 - NIST-800-53-CM-6(a)
 - NIST-800-53-CM-7(a)
 - NIST-800-53-CM-7(b)
 - disable\_strategy
 - kernel\_module\_cramfs\_disabled
 - low\_complexity
 - low\_severity
 - medium\_disruption
 - reboot\_required