control "C-1.1.1.1" do
title "Ensure mounting of cramfs filesystems is disabled"
desc "The `cramfs` filesystem type is a compressed read-only Linux
filesystem embedded in small footprint systems. A `cramfs` image can be
used without having to first decompress the image."
desc "rationale", "Removing support for unneeded filesystem types reduces
the local attack surface of the server. If this filesystem type is not needed,
disable it."
impact 0.7
tag severity: 'high'
tag nist: ["CM-6"]
tag cis_scored: true
tag cis_version: 1.2.0
tag cis_level: 3
tag cis_controls: ["5.1"]
tag cis_cdc_version: 7
tag cis_rid: "1.1.1.1"
desc "check", "Run the following commands and verify the output is as
indicated:
install /bin/true
desc "fix", "Edit or create a file in the `/etc/modprobe.d/` directory ending in
.conf
Example: `vi /etc/modprobe.d/cramfs.conf`
and add the following line:
install cramfs /bin/true
Run the following command to unload the `cramfs` module:
describe kernel_module('cramfs') do
it { should_not be_loaded }
it { should be_disabled }
it { should be_blacklisted }
end
end
