Disable Mounting of udf
An XCCDF Rule
Description
To configure the system to prevent the udf
kernel module from being loaded, add the following line to the file /etc/modprobe.d/udf.conf
:
install udf /bin/trueTo configure the system to prevent the
udf
from being used,
add the following line to file /etc/modprobe.d/udf.conf
:
blacklist udfThis effectively prevents usage of this uncommon filesystem. The
udf
filesystem type is the universal disk format
used to implement the ISO/IEC 13346 and ECMA-167 specifications.
This is an open vendor filesystem type for data storage on a broad
range of media. This filesystem type is neccessary to support
writing DVDs and newer optical disc formats.
Rationale
Removing support for unneeded filesystem types reduces the local attack surface of the system.
- ID
- xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled
- Severity
- Low
- References
- Updated
Remediation - Kubernetes Patch
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if LC_ALL=C grep -q -m 1 "^install udf" /etc/modprobe.d/udf.conf ; then
sed -i 's#^install udf.*#install udf /bin/true#g' /etc/modprobe.d/udf.conf
Remediation - Ansible
- name: Ensure kernel module 'udf' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/udf.conf
regexp: install\s+udf
line: install udf /bin/false