lowkernelverified ✓
Ensure unused filesystems kernel modules are not available
unused-filesystems-unavailable · RHEL ≥ 8 · 1 impl
Description
Uncommon filesystem kernel modules (cramfs, freevxfs, hfs, hfsplus, jffs2, squashfs, udf) should not be loadable, reducing the kernel's attack surface for filesystems the system does not need.
Rationale
Every loadable filesystem driver is potential attack surface. Disabling drivers the system does not use removes that surface and the risk of automatic mounting of malicious media.
Check → Remediate
Checkcommand
bad="" for m in cramfs freevxfs hfs hfsplus jffs2 squashfs udf; do loadable=$(modprobe -n -v "$m" 2>/dev/null | grep -vE 'install (/bin|/usr/bin)?/?(true|false)' | grep -c "$m") loaded=$(lsmod 2>/dev/null | grep -c "^$m ") if [ "$loadable" -ne 0 ] || [ "$loaded" -ne 0 ]; then bad="$bad $m"; fi done if [ -n "$bad" ]; then echo "FAIL: loadable/loaded unused fs modules:$bad"; exit 1; fi echo "OK: all unused filesystem modules unavailable"
- expected_exit:
- 0
Remediatemanual
- note:
- For each reported module add `install <mod> /bin/false` and `blacklist <mod>` under /etc/modprobe.d/, then unload it with `modprobe -r <mod>`.
Framework references
CIS
rhel9 1.1.1.9rhel8 1.1.1.11rhel10 1.1.1.11
NIST 800-53
CM-7
Live verification
rhel9:check
#kernel-module#filesystem#attack-surface