Disable Mounting of udf
An XCCDF Rule
Description
To configure the system to prevent the udf
kernel module from being loaded, add the following line to the file /etc/modprobe.d/udf.conf
:
install udf /bin/trueThis effectively prevents usage of this uncommon filesystem. The
udf
filesystem type is the universal disk format
used to implement the ISO/IEC 13346 and ECMA-167 specifications.
This is an open vendor filesystem type for data storage on a broad
range of media. This filesystem type is neccessary to support
writing DVDs and newer optical disc formats.
Rationale
Removing support for unneeded filesystem types reduces the local attack surface of the system.
- ID
- xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled
- Severity
- Low
- References
- Updated
Remediation - Ansible
- name: Ensure kernel module 'udf' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/udf.conf
regexp: install\s+udf
line: install udf /bin/false
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if LC_ALL=C grep -q -m 1 "^install udf" /etc/modprobe.d/udf.conf ; then
sed -i 's#^install udf.*#install udf /bin/true#g' /etc/modprobe.d/udf.conf