Disable Mounting of hfsplus

Docs > Datadog Security > OOTB Rules > Disable Mounting of hfsplus

Classification:

compliance

Framework:

Control:

Description

To configure the system to prevent the hfsplus kernel module from being loaded, add the following line to the file /etc/modprobe.d/hfsplus.conf:

install hfsplus /bin/true

This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if LC\_ALL=C grep -q -m 1 "^install hfsplus" /etc/modprobe.d/hfsplus.conf ; then
 
 sed -i 's#^install hfsplus.\*#install hfsplus /bin/true#g' /etc/modprobe.d/hfsplus.conf
else
 echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfsplus.conf
 echo "install hfsplus /bin/true" >> /etc/modprobe.d/hfsplus.conf
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Ensure kernel module 'hfsplus' is disabled
 lineinfile:
 create: true
 dest: /etc/modprobe.d/hfsplus.conf
 regexp: install\s+hfsplus
 line: install hfsplus /bin/true
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - NIST-800-171-3.4.6
 - NIST-800-53-CM-6(a)
 - NIST-800-53-CM-7(a)
 - NIST-800-53-CM-7(b)
 - disable\_strategy
 - kernel\_module\_hfsplus\_disabled
 - low\_complexity
 - low\_severity
 - medium\_disruption
 - reboot\_required