Profile Applicability:
 • Level 1

Description:
 The freevxfs kernel module supports the Veritas File System (VxFS), a commercial filesystem used in some environments. This module is rarely needed on typical Linux systems.

Rationale:
 Disabling unused kernel modules such as freevxfs reduces the kernel attack surface and limits potential vectors for exploitation.

Impact:
 Pros:

  • Reduces potential kernel attack vectors by disabling unnecessary filesystem support.

  • Enhances overall system security posture.

Cons:

  • Systems that require Veritas File System support will not be able to mount freevxfs filesystems if the module is disabled.

Default Value:
 The freevxfs kernel module may be available and loadable by default on some Linux distributions.

Pre-requisites:

  • Root or sudo privileges to modify kernel module settings.

  • Access to /etc/modprobe.d/ for configuration changes.

Remediation:

Test Plan:

Using Linux command line:

  1. Check if the freevxfs module is loaded:

     lsmod | grep freevxfs

  2. Verify if the module is blacklisted or disabled:

     grep -r freevxfs /etc/modprobe.d/

  3. Test module load behavior:

     modprobe -n -v freevxfs

    Expected output should indicate the module is disabled, e.g., install /bin/false.

Implementation Plan:

Using Linux command line:

  1. Create or edit /etc/modprobe.d/freevxfs.conf:

    echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf
 echo "blacklist freevxfs" >> /etc/modprobe.d/freevxfs.conf

  2. Unload the module if currently loaded:

     modprobe -r freevxfs

  3. Reboot the system or reload kernel module configurations.

Backout Plan:

Using Linux command line:

  1. Remove the blacklist and disable entries:

     sed -i '/freevxfs/d' /etc/modprobe.d/freevxfs.conf

  2. Optionally reload the module:

     modprobe freevxfs

  3. Reboot the system to apply changes.

References: