← Rules Catalog
lowkernelverified

Ensure unused filesystems kernel modules are not available

unused-filesystems-unavailable · RHEL ≥ 8 · 1 impl

Description

Uncommon filesystem kernel modules (cramfs, freevxfs, hfs, hfsplus, jffs2, squashfs, udf) should not be loadable, reducing the kernel's attack surface for filesystems the system does not need.

Rationale

Every loadable filesystem driver is potential attack surface. Disabling drivers the system does not use removes that surface and the risk of automatic mounting of malicious media.

Check → Remediate

Checkcommand
bad=""
for m in cramfs freevxfs hfs hfsplus jffs2 squashfs udf; do
  loadable=$(modprobe -n -v "$m" 2>/dev/null | grep -vE 'install (/bin|/usr/bin)?/?(true|false)' | grep -c "$m")
  loaded=$(lsmod 2>/dev/null | grep -c "^$m ")
  if [ "$loadable" -ne 0 ] || [ "$loaded" -ne 0 ]; then bad="$bad $m"; fi
done
if [ -n "$bad" ]; then echo "FAIL: loadable/loaded unused fs modules:$bad"; exit 1; fi
echo "OK: all unused filesystem modules unavailable"
expected_exit:
0
Remediatemanual
note:
For each reported module add `install <mod> /bin/false` and `blacklist <mod>` under /etc/modprobe.d/, then unload it with `modprobe -r <mod>`.

Framework references

CIS

rhel9 1.1.1.9rhel8 1.1.1.11rhel10 1.1.1.11

NIST 800-53

CM-7

Live verification

rhel9:check
#kernel-module#filesystem#attack-surface