{"description": "\nTo configure the system to prevent the <code>cramfs</code>\nkernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/cramfs.conf</code>:\n<pre>install cramfs /bin/false</pre>\nThis entry will cause a non-zero return value during a <code>cramfs</code> module installation\nand additionally convey the meaning of the entry to the user in form of an error message.\nIf you would like to omit a non-zero return value and an error message, you may want to add a different line instead\n(both <code>/bin/true</code> and <code>/bin/false</code> are allowed by OVAL and will be accepted by the scan):\n<pre>install cramfs /bin/true</pre>\n\nThis effectively prevents usage of this uncommon filesystem.\n\nThe <tt>cramfs</tt> filesystem type is a compressed read-only\nLinux filesystem embedded in small footprint systems. A\n<tt>cramfs</tt> image can be used without having to first\ndecompress the image.", "rationale": "Removing support for unneeded filesystem types reduces the local attack surface\nof the server.", "severity": "low", "references": {"cis-csc": ["11", "14", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS05.02", "DSS05.05", "DSS06.06"], "cui": ["3.4.6"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.9.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.IP-1", "PR.PT-3"], "srg": ["SRG-OS-000095-GPOS-00049"], "cis": ["1.1.1.1"]}, "control_references": {"cis": ["1.1.1.1"]}, "components": [], "identifiers": {}, "ocil_clause": "no line is returned", "ocil": "\nIf the system is configured to prevent the loading of the <code>cramfs</code> kernel module,\nit will contain lines inside any file in <code>/etc/modprobe.d</code> or the deprecated<code> /etc/modprobe.conf</code>.\nThese lines instruct the module loading system to run another program (such as <code>/bin/false</code>) upon a module <code>install</code> event.\n\nRun the following command to search for such lines in all files in <code>/etc/modprobe.d</code> and the deprecated <code>/etc/modprobe.conf</code>:\n<pre>$ grep -r cramfs /etc/modprobe.conf /etc/modprobe.d</pre>", "oval_external_content": null, "fixtext": " Configure Ubuntu 22.04 to disable the ability to use the cramfs kernel module.\nAdd or update the following lines in the file \"/etc/modprobe.d/blacklist.conf\":\ninstall cramfs /bin/true blacklist cramfs\nReboot the system for the settings to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": " The kernel module cramfs must be disabled in Ubuntu 22.04.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must disable mounting of cramfs.", "vuldiscussion": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the server.\n\nCompressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems.", "checktext": "Verify that Ubuntu 22.04 disables the ability to load the cramfs kernel module with the following command:\n\n$ grep -r cramfs /etc/modprobe.conf /etc/modprobe.d/*\n\ninstall cramfs /bin/false\nblacklist cramfs\n\nIf the command does not return any output or the lines are commented out, and use of cramfs is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.", "fixtext": "To configure the system to prevent the cramfs kernel module from being loaded, add the following lines to the file /etc/modprobe.d/blacklist.conf (or create blacklist.conf if it does not exist):\n\ninstall cramfs /bin/false\nblacklist cramfs"}}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable Mounting of cramfs", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml", "template": {"name": "kernel_module_disabled", "vars": {"kernmodule": "cramfs"}, "backends": {}}}