Disable Mounting of hfs
An XCCDF Rule
Description
To configure the system to prevent the hfs
kernel module from being loaded, add the following line to the file /etc/modprobe.d/hfs.conf
:
install hfs /bin/trueThis effectively prevents usage of this uncommon filesystem.
Rationale
Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.
- ID
- xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled
- Severity
- Low
- References
- Updated
Remediation - Kubernetes Patch
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if LC_ALL=C grep -q -m 1 "^install hfs" /etc/modprobe.d/hfs.conf ; then
sed -i 's#^install hfs.*#install hfs /bin/true#g' /etc/modprobe.d/hfs.conf
Remediation - Ansible
- name: Ensure kernel module 'hfs' is disabled
lineinfile:
create: true
dest: /etc/modprobe.d/hfs.conf
regexp: install\s+hfs
line: install hfs /bin/false