Profile Applicability:
• Level 1
Description:
The hfs kernel module provides support for the Hierarchical File System (HFS) used by older Apple Macintosh computers. This filesystem support is typically not required on most Linux systems.
Rationale:
Disabling unnecessary filesystem kernel modules such as hfs reduces the attack surface and mitigates potential vulnerabilities related to this filesystem.
Impact:
Pros:
Reduces kernel attack surface by disabling unused filesystem support.
Improves system security by preventing exploitation through this module.
Cons:
Systems that need to mount HFS filesystems will be unable to do so if the module is disabled.
Default Value:
The hfs kernel module may be available and loadable by default on some Linux distributions.
Pre-requisites:
Root or sudo privileges for modifying kernel module configurations.
Access to /etc/modprobe.d/ for blacklist or disable configurations.
Remediation:
Test Plan:
Using Linux command line:
Check if the hfs module is loaded:
lsmod | grep hfs
Verify blacklist or disable entries:
grep -r hfs /etc/modprobe.d/
Test module load behavior:
modprobe -n -v hfs
Expected output should indicate the module is disabled, e.g., install /bin/false.
Implementation Plan:
Using Linux command line:
Create or edit /etc/modprobe.d/hfs.conf:
echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf echo "blacklist hfs" >> /etc/modprobe.d/hfs.conf
Unload the module if loaded:
modprobe -r hfs
Reboot the system or reload module configuration.
Backout Plan:
Using Linux command line:
Remove blacklist and disable entries:
sed -i '/hfs/d' /etc/modprobe.d/hfs.conf
Optionally reload the module:
modprobe hfs
Reboot the system.
References:
CIS Amazon Linux 2 Benchmark v3.0.0