Saltstack Official Linux Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

cis-1-1-1-8.yml 1.4KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950
  1. # 1.1.1.8 Ensure mounting of FAT filesystems is disabled
  2. #
  3. # Description
  4. # ===========
  5. # The FAT filesystem format is primarily used on older windows systems and
  6. # portable USB drives or flash modules. It comes in three types FAT12, FAT16,
  7. # and FAT32 all of which are supported by the vfat kernel module.
  8. #
  9. # Rationale
  10. # =========
  11. # Removing support for unneeded filesystem types reduces the local attack
  12. # surface of the server. If this filesystem type is not needed, disable it.
  13. #
  14. # Audit
  15. # =====
  16. # Run the following commands and verify the output is as indicated:
  17. #
  18. # # modprobe -n -v vfat
  19. # install /bin/true
  20. # # lsmod | grep vfat
  21. # <No output>
  22. #
  23. # Remediation
  24. # ===========
  25. #
  26. # Edit or create the file /etc/modprobe.d/CIS.conf and add the following line:
  27. #
  28. # install vfat /bin/true
  29. #
  30. # Impact
  31. # ======
  32. # FAT filesystems are often used on portable USB sticks and other flash
  33. # media are commonly used to transfer files between workstations, removing
  34. # VFAT support may prevent the ability to transfer files in this way.
  35. #
  36. # NOTE
  37. # ====
  38. # In Ubuntu 16.04 vfat is built into kernel, and 'install' command
  39. # from modprobe.d dir has no effect. However, this is still checked by
  40. # CIS-CAT in Ubuntu 16.04 benchmark v.1.0.0. This was removed in v.1.1.0.
  41. #
  42. parameters:
  43. linux:
  44. system:
  45. kernel:
  46. module:
  47. vfat:
  48. install:
  49. command: /bin/true