AlmaLinux OS 9 must disable mounting of squashfs.
An XCCDF Rule
Description
Removing support for unneeded filesystem types reduces the local attack surface of the server. A squashfs compressed filesystem image can be mounted without first decompressing the image. Note that Snap packages use squashfs.
- ID
- SV-269346r1050228_rule
- Version
- ALMA-09-030160
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
To configure the system to prevent the squashfs kernel module from being loaded, create a *.conf file in /etc/modprobe.d/ with the following content:
install squashfs /bin/false
blacklist squashfs