search

sandevistan-server-hardening / CIS_Ubuntu_22.04_LTS_Benchmark_v1.0.0

Audit script based on CIS Ubuntu 22.04 LTS Benchmark v1.0.0
MIT License
1 stars 0 forks source link

1.1.1.2 Ensure mounting of squashfs filesystems is disabled #2

Open scfast opened 1 year ago

scfast commented 1 year ago

Profile Applicability:  Level 2 - Server  Level 2 - Workstation Description: The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A squashfs image can be used without having to first decompress the image. Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. Impact: As Snap packages utilizes squashfs as a compressed filesystem, disabling squashfs will cause Snap packages to fail. Snap application packages of software are self-contained and work across a range of Linux distributions. This is unlike traditional Linux package management approaches, like APT or RPM, which require specifically adapted packages per Linux distribution on an application update and delay therefore application deployment from developers to their software's end-user. Snaps themselves have no dependency on any external store ("App store"), can be obtained from any source and can be therefore used for upstream software deployment.

Audit: Run the following script to verify squashfs is disabled:

#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="squashfs" # set module name
# Check how module will be loaded
l_loadable="$(modprobe -n -v "$l_mname")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable:
\"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable:
\"$l_loadable\""
fi
# Check is the module currently loaded
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
# Check if the module is deny listed
if grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in:
\"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit
failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
scfast commented 1 year ago

This audit must be done on the actual machine, virtualization or tools like Docker will fail. This is because modprobe and lsmod may not be loaded. You can't load kernel modules in a Docker container. You need to load them on the host. See https://github.com/sandevistan-server-hardening/CIS_Ubuntu_22.04_LTS_Benchmark_v1.0.0/issues/1