Profile Applicability:
• Level 1
Description:
The hfsplus kernel module provides support for the HFS Plus filesystem, used primarily by newer Apple Macintosh computers. This filesystem support is generally unnecessary on most Linux systems.
Rationale:
Disabling the hfsplus kernel module when not required reduces the kernel attack surface and prevents exploitation through this filesystem type.
Impact:
Pros:
Reduces kernel attack surface by disabling unused filesystem modules.
Enhances overall system security posture.
Cons:
Systems requiring HFS Plus support will be unable to mount such filesystems if the module is disabled.
Default Value:
The hfsplus kernel module may be available and enabled by default on some Linux distributions.
Pre-requisites:
Root or sudo privileges to modify kernel module configurations.
Access to /etc/modprobe.d/ for blacklist or disable directives.
Remediation:
Test Plan:
Using Linux command line:
Check if the hfsplus module is loaded:
lsmod | grep hfsplus
Verify blacklist or disable entries:
grep -r hfsplus /etc/modprobe.d/
Test module load behavior:
modprobe -n -v hfsplus
Expected output should indicate the module is disabled, e.g., install /bin/false.
Implementation Plan:
Using Linux command line:
Create or edit /etc/modprobe.d/hfsplus.conf:
echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf echo "blacklist hfsplus" >> /etc/modprobe.d/hfsplus.conf
Unload the module if currently loaded:
modprobe -r hfsplus
Reboot the system or reload module configurations.
Backout Plan:
Using Linux command line:
Remove blacklist and disable entries:
sed -i '/hfsplus/d' /etc/modprobe.d/hfsplus.conf
Optionally reload the module:
modprobe hfsplus
Reboot the system.
References:
CIS Amazon Linux 2 Benchmark v3.0.0