Skip to content

Disable Mounting of hfsplus

An XCCDF Rule

Description

To configure the system to prevent the hfsplus kernel module from being loaded, add the following line to the file /etc/modprobe.d/hfsplus.conf:

install hfsplus /bin/true
To configure the system to prevent the hfsplus from being used, add the following line to file /etc/modprobe.d/hfsplus.conf:
blacklist hfsplus
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

ID
xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled
Severity
Low
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if LC_ALL=C grep -q -m 1 "^install hfsplus" /etc/modprobe.d/hfsplus.conf ; then
	
	sed -i 's#^install hfsplus.*#install hfsplus /bin/true#g' /etc/modprobe.d/hfsplus.conf

Remediation - Kubernetes Patch

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:

Remediation - Ansible

- name: Ensure kernel module 'hfsplus' is disabled
  lineinfile:
    create: true
    dest: /etc/modprobe.d/hfsplus.conf
    regexp: install\s+hfsplus
    line: install hfsplus /bin/false