Profile Applicability:
• Level 2
Description:
The squashfs kernel module provides support for the SquashFS compressed read-only filesystem. SquashFS is often used in embedded systems, live CDs, and other environments requiring compressed read-only filesystems.
Rationale:
Disabling the squashfs kernel module when not needed reduces the kernel attack surface by removing unnecessary filesystem support and potential vulnerabilities related to this module.
Impact:
Pros:
Reduces kernel attack surface by disabling unused filesystem modules.
Helps mitigate exploitation risks associated with the squashfs filesystem.
Cons:
Systems requiring SquashFS support will be unable to mount squashfs filesystems if the module is disabled.
Default Value:
The squashfs kernel module may be available and enabled by default on many Linux distributions.
Pre-requisites:
Root or sudo privileges to modify kernel module configurations.
Access to /etc/modprobe.d/ for blacklisting or disabling the module.
Remediation:
Test Plan:
Using Linux command line:
Check if the squashfs module is loaded:
lsmod | grep squashfs
Verify blacklist or disable entries:
grep -r squashfs /etc/modprobe.d/
Test module load behavior:
modprobe -n -v squashfs
Expected output should indicate the module is disabled, e.g., install /bin/false.
Implementation Plan:
Using Linux command line:
Create or edit /etc/modprobe.d/squashfs.conf:
echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf echo "blacklist squashfs" >> /etc/modprobe.d/squashfs.conf
Unload the module if currently loaded:
modprobe -r squashfs
Reboot the system or reload module configurations.
Backout Plan:
Using Linux command line:
Remove blacklist and disable entries:
sed -i '/squashfs/d' /etc/modprobe.d/squashfs.conf
Optionally reload the module:
modprobe squashfs
Reboot the system.
References:
CIS Amazon Linux 2 Benchmark v3.0.0