search

sandevistan-server-hardening / CIS_Ubuntu_22.04_LTS_Benchmark_v1.0.0

Audit script based on CIS Ubuntu 22.04 LTS Benchmark v1.0.0
MIT License
1 stars 0 forks source link

1.1.1.3 Ensure mounting of udf filesystems is disabled #3

Open scfast opened 1 year ago

scfast commented 1 year ago

Profile Applicability:  Level 2 - Server  Level 2 - Workstation Description: The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats. Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. Impact: Microsoft Azure requires the usage of udf. udf should not be disabled on systems run on Microsoft Azure.

Audit: Run the following script to verify udf is disabled:

#!/usr/bin/env bash
{
l_output="" l_output2=""
l_mname="udf" # set module name
# Check how module will be loaded
l_loadable="$(modprobe -n -v "$l_mname")"
if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then
l_output="$l_output\n - module: \"$l_mname\" is not loadable:
\"$l_loadable\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is loadable:
\"$l_loadable\""
fi
# Check is the module currently loaded
if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then
l_output="$l_output\n - module: \"$l_mname\" is not loaded"
else
l_output2="$l_output2\n - module: \"$l_mname\" is loaded"
fi
# Check if the module is deny listed
if grep -Pq -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*; then
l_output="$l_output\n - module: \"$l_mname\" is deny listed in:
\"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\""
else
l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed"
fi
# Report results. If no failures output in l_output2, we pass
if [ -z "$l_output2" ]; then
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit
failure:\n$l_output2\n"
[ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n"
fi
}
scfast commented 1 year ago

This audit must be done on the actual machine, virtualization or tools like Docker will fail. This is because modprobe and lsmod may not be loaded. You can't load kernel modules in a Docker container. You need to load them on the host. See https://github.com/sandevistan-server-hardening/CIS_Ubuntu_22.04_LTS_Benchmark_v1.0.0/issues/1