diff --git a/benchmarks/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-diasbled.md b/benchmarks/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-diasbled.md new file mode 100644 index 0000000000000000000000000000000000000000..45d45f1528d6d8ceac38d1eb9c992e14c7437edd --- /dev/null +++ b/benchmarks/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-diasbled.md @@ -0,0 +1,57 @@ +# 1.52 确保已禁用cramfs文件系统的挂载 + +## 安全等级 + +- Level 1 + +## 描述 + +cramfs文件系统是压缩的只读Linux文件系统,用于嵌入式系统。cramfs映像可以在不必先解压映像的情况下使用。 + +删除不需要的文件系统类型的支持可以减少系统本地攻击面。如果不需要这种文件系统类型,请禁用它。 + +## 修复建议 + +目标:确保cramfs文件系统的挂载被禁用。 + +1. 执行以下命令,在/etc/modprobe.d/目录中编辑或创建一个以.conf结尾的文件,并添加配置。 + +```bash +# echo "install cramfs /bin/false" >> /etc/modprobe.d/cramfs.conf +# echo "blacklist cramfs" >> /etc/modprobe.d/cramfs.conf +``` + +2. 运行以下命令以卸载cramfs模块: + +```bash +# modprobe -r cramfs +``` + +## 扫描检测 + +运行以下命令并验证输出是否符合预期。 + +1. 模块将如何被加载 + +```bash +# modprobe -n -v cramfs | grep "^install" +install /bin/false +``` + +2. 模块当前是否已加载 + +```bash +# lsmod | grep cramfs + +``` + +3. 模块是否被列入黑名单 + +```bash +# grep -E "^blacklist\s+cramfs" /etc/modprobe.d/* +blacklist cramfs +``` + +## 参考 + +- cis: diff --git a/docs/summary-of-rules.md b/docs/summary-of-rules.md index c97f4f0222f9f9ec489561dba19e255c71d43bd0..3f918dc6394d2f6af8be9e293f2e9d15a30fe8c3 100644 --- a/docs/summary-of-rules.md +++ b/docs/summary-of-rules.md @@ -51,6 +51,7 @@ | 1.49 | 1.49-lock-or-delete-the-shutdown-and-halt-users.md | 1.49 锁定或删除shutdown、halt用户 | benchmarks/access-and-control | 1 | | 1.50 | 1.50-ensure-ssh-x11-forwarding-is-disabled.md | 1.50 确保SSH X11转发功能被禁用 | benchmarks/access-and-control | 1 | | 1.51 | 1.51-ensure-mounting-of-udf-filesystems-is-disabled.md | 1.51 确保udf文件系统的挂载被禁用 | benchmarks/access-and-control | 1 | +| 1.52 | 1.52-ensure-mounting-of-cramfs-filesystems-is-disabled | 1.52 确保cramfs文件系统的挂载被禁用 | benchmarks/access-and-control | 1 | | 2.1 | 2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.md | 2.1 确保审计日志的文件权限被正确配置 | benchmarks/logging-and-auditing | 1 | | 2.2 | 2.2-ensure-only-authorized-users-own-audit-log-files.md | 2.2 确保审计日志文件的所有者为已授权用户 | benchmarks/logging-and-auditing | 1 | | 2.3 | 2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.md | 2.3 确保审计日志文件的所属组为已授权的用户组 | benchmarks/logging-and-auditing | 1 | diff --git a/remediation-kits/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh b/remediation-kits/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh new file mode 100644 index 0000000000000000000000000000000000000000..9b74e2ec34c5cbc48d4591537791fbf4aaa56da9 --- /dev/null +++ b/remediation-kits/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh @@ -0,0 +1,3 @@ +echo "install cramfs /bin/false" >> /etc/modprobe.d/cramfs.conf +echo "blacklist cramfs" >> /etc/modprobe.d/cramfs.conf +modprobe -r cramfs diff --git a/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh b/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh new file mode 100644 index 0000000000000000000000000000000000000000..0b6e13e72dd91ed7f8d652345b62baba7024ba61 --- /dev/null +++ b/scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh @@ -0,0 +1,9 @@ +result=false + +modprobe -n -v cramfs | grep -q "^install" && test -z "$(lsmod | grep -e cramfs)" && grep -E -q "^blacklist[[:blank:]]*cramfs" /etc/modprobe.d/* && result=true + +if [ "$result" == true ]; then + echo "pass" +else + echo "fail" +fi \ No newline at end of file