Skip to content

Disable Mounting of hfs

An XCCDF Rule

Description

To configure the system to prevent the hfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/hfs.conf:

install hfs /bin/true
This effectively prevents usage of this uncommon filesystem.

Rationale

Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.

ID
xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled
Severity
Low
References
Updated



Remediation - Kubernetes Patch

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if LC_ALL=C grep -q -m 1 "^install hfs" /etc/modprobe.d/hfs.conf ; then
	
	sed -i 's#^install hfs.*#install hfs /bin/true#g' /etc/modprobe.d/hfs.conf

Remediation - Ansible

- name: Ensure kernel module 'hfs' is disabled
  lineinfile:
    create: true
    dest: /etc/modprobe.d/hfs.conf
    regexp: install\s+hfs
    line: install hfs /bin/false