Disable Mounting of udf

Classification:

compliance

Framework:

Control:

Description

To configure the system to prevent the udf kernel module from being loaded, add the following line to the file /etc/modprobe.d/udf.conf:

install udf /bin/true

This effectively prevents usage of this uncommon filesystem.

The udf filesystem type is the universal disk format used to implement the ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is neccessary to support writing DVDs and newer optical disc formats.

Rationale

Removing support for unneeded filesystem types reduces the local attack surface of the system.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if LC\_ALL=C grep -q -m 1 "^install udf" /etc/modprobe.d/udf.conf ; then
 
 sed -i 's#^install udf.\*#install udf /bin/true#g' /etc/modprobe.d/udf.conf
else
 echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/udf.conf
 echo "install udf /bin/true" >> /etc/modprobe.d/udf.conf
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Ensure kernel module 'udf' is disabled
 lineinfile:
 create: true
 dest: /etc/modprobe.d/udf.conf
 regexp: install\s+udf
 line: install udf /bin/true
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - NIST-800-171-3.4.6
 - NIST-800-53-CM-6(a)
 - NIST-800-53-CM-7(a)
 - NIST-800-53-CM-7(b)
 - disable\_strategy
 - kernel\_module\_udf\_disabled
 - low\_complexity
 - low\_severity
 - medium\_disruption
 - reboot\_required