Disable Mounting of cramfs
Description
To configure the system to prevent the cramfs
kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf:
This effectively prevents usage of this uncommon filesystem.
The cramfs filesystem type is a compressed read-only
Linux filesystem embedded in small footprint systems. A
cramfs image can be used without having to first
decompress the image.
Rationale
Removing support for unneeded filesystem types reduces the local attack surface
of the server.
Shell script
The following script can be run on the host to remediate the issue.
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if LC\_ALL=C grep -q -m 1 "^install cramfs" /etc/modprobe.d/cramfs.conf ; then
sed -i 's#^install cramfs.\*#install cramfs /bin/true#g' /etc/modprobe.d/cramfs.conf
else
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cramfs.conf
echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Ensure kernel module 'cramfs' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/cramfs.conf
regexp: install\s+cramfs
line: install cramfs /bin/true
when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- NIST-800-171-3.4.6
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- disable\_strategy
- kernel\_module\_cramfs\_disabled
- low\_complexity
- low\_severity
- medium\_disruption
- reboot\_required
