Disable Mounting of vFAT filesystems

An XCCDF Rule

Description

To configure the system to prevent the vfat kernel module from being loaded, add the following line to the file /etc/modprobe.d/vfat.conf:

install vfat /bin/true

This effectively prevents usage of this uncommon filesystem. The vFAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12, FAT16, and FAT32 all of which are supported by the vfat kernel module.

Rationale

Removing support for unneeded filesystems reduces the local attack surface of the system.

ID: xccdf_org.ssgproject.content_rule_kernel_module_vfat_disabled
Severity: Low
References: 11 14 3 9

BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06

3.4.6

4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6

A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2

CM-6(a) CM-7(a) CM-7(b)

PR.IP-1 PR.PT-3

1.1.1.3

CCE-92300-3
Updated: about 1 year ago

- name: Ensure kernel module 'vfat' is disabled
  lineinfile:
    create: true
    dest: /etc/modprobe.d/vfat.conf
    regexp: install\s+vfat
    line: install vfat /bin/false  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-92300-3
  - NIST-800-171-3.4.6
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - kernel_module_vfat_disabled
  - low_complexity
  - low_severity
  - medium_disruption
  - reboot_required

- name: Ensure kernel module 'vfat' is blacklisted
  lineinfile:
    create: true
    dest: /etc/modprobe.d/vfat.conf
    regexp: ^blacklist vfat$
    line: blacklist vfat
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-92300-3
  - NIST-800-171-3.4.6
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_strategy
  - kernel_module_vfat_disabled
  - low_complexity
  - low_severity
  - medium_disruption
  - reboot_required

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if LC_ALL=C grep -q -m 1 "^install vfat" /etc/modprobe.d/vfat.conf ; then
	
	sed -i 's#^install vfat.*#install vfat /bin/true#g' /etc/modprobe.d/vfat.confelse
	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/vfat.conf
	echo "install vfat /bin/false" >> /etc/modprobe.d/vfat.conf
fi

if ! LC_ALL=C grep -q -m 1 "^blacklist vfat$" /etc/modprobe.d/vfat.conf ; then
	echo "blacklist vfat" >> /etc/modprobe.d/vfat.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable Mounting of vFAT filesystems

Description

Rationale

Remediation - Ansible

Remediation - Shell Script