Profile Applicability:
• Level 2
Description:
The udf kernel module provides support for the Universal Disk Format (UDF) filesystem, commonly used on optical media such as DVDs and Blu-ray discs.
Rationale:
Disabling the udf kernel module when not required reduces the kernel attack surface by preventing the loading of unnecessary filesystem modules, minimizing potential vulnerabilities.
Impact:
Pros:
Reduces kernel attack surface by disabling unused filesystem support.
Helps mitigate risks related to UDF filesystem vulnerabilities.
Cons:
Systems needing to mount UDF filesystems will be unable to do so if the module is disabled.
Default Value:
The udf kernel module may be available and enabled by default on many Linux systems.
Pre-requisites:
Root or sudo privileges to modify kernel module configurations.
Access to /etc/modprobe.d/ to configure blacklisting or disabling.
Remediation:
Test Plan:
Using Linux command line:
Check if the udf module is loaded:
lsmod | grep udf
Verify blacklist or disable entries:
grep -r udf /etc/modprobe.d/
Test module load behavior:
modprobe -n -v udf
Expected output should show the module is disabled, e.g., install /bin/false.
Implementation Plan:
Using Linux command line:
Create or edit /etc/modprobe.d/udf.conf:
echo "install udf /bin/false" > /etc/modprobe.d/udf.conf echo "blacklist udf" >> /etc/modprobe.d/udf.conf
Unload the module if currently loaded:
modprobe -r udf
Reboot the system or reload kernel module configurations.
Backout Plan:
Using Linux command line:
Remove blacklist and disable entries:
sed -i '/udf/d' /etc/modprobe.d/udf.conf
Optionally reload the module:
modprobe udf
Reboot the system.
References:
CIS Amazon Linux 2 Benchmark v3.0.0