Profile Applicability:
• Level 1
Description:
The cramfs filesystem is a compressed read-only Linux filesystem commonly used in embedded systems. The cramfs kernel module allows the system to mount cramfs filesystems.
Rationale:
Disabling the cramfs kernel module when it is not needed reduces the system's attack surface by preventing exploitation of vulnerabilities related to this filesystem type.
Impact:
Pros:
Reduces kernel attack surface by disabling unnecessary filesystem support.
Prevents potential exploitation via the cramfs filesystem.
Cons:
Systems requiring cramfs will not be able to mount such filesystems if the module is disabled.
Default Value:
The cramfs kernel module may be available and enabled by default on many Linux systems.
Pre-requisites:
Root or sudo privileges to modify kernel module configurations.
Access to /etc/modprobe.d/ to blacklist or disable modules.
Remediation:
Test Plan:
Using Linux command line:
Verify if the cramfs module is loaded:
lsmod | grep cramfs
Check for blacklisting or disabling of the module:
grep -r cramfs /etc/modprobe.d/
Test module load behavior:
modprobe -n -v cramfs
Expected output should indicate the module is disabled, e.g., install /bin/false.
Implementation Plan:
Using Linux command line:
Create or edit the file /etc/modprobe.d/cramfs.conf:
echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf echo "blacklist cramfs" >> /etc/modprobe.d/cramfs.conf
Unload the cramfs module if currently loaded:
modprobe -r cramfs
Reboot the system or reload module configurations.
Backout Plan:
Using Linux command line:
Remove cramfs disable and blacklist entries:
sed -i '/cramfs/d' /etc/modprobe.d/cramfs.conf
Optionally reload the module:
modprobe cramfs
Reboot the system.
References:
CIS Amazon Linux 2 Benchmark v3.0.0