Created as one of the article to review on one of the compiled recommendation from CIS (Center for Internet Security) about CentOS 7 Linux benchmark focusing on providing an establish standard for guidelines to implement secure configuration in machine or server running CentOS 7 with the architecture either 32-bit or 64-bit, the focus will be pointed on disabling squashfs filesystem.
The purpose for disabling squashfs is for hardening the security of the operating system. One of Wikipedia’s page define squashfs with the following definition :
SquashFS is a compressed read-only file system for Linux. SquashFS compresses files, inodes and directories, and supports block sizes up to 1 MB for greater compression. SquashFS is also the name of free software, licensed under the GPL, for accessing SquashFS filesystems.
Analog to CentOS Linux operating system, in this article, the recommendation which is proposed is for Disabling Mounting of squashfs filesystem. There is a specification about the recommendation itself in the Guide to the Secure Configuration of Redhat Enterprise Linux 6 in this link and also Guide to the Secure Configuration of Redhat Enterprise Linux 7 in this link. The CCE Identifiers or CCE-ID used to specify the recommendation for Disabling Mounting of squashfs in Redhat Enterprise Linux 6 is CCE-26404-4 otherwise in Redhat Enterprise Linux 7 isCCE-80142-3.
For enhancing the operating system’s security, the recommendation given from CIS which is compiled in a single document regarding standard for secure configuration on CentOS 7 which is derived from the Guide to the Secure Configuration of Redhat Enterprise Linux 7 is to permanently disable the squashfs file system.
Disabling squashfs file system is quite simple which can be done by creating a new file or editing an existing file which is located in /etc/modprobe.d. The inserted configuration to fulfill the purpose is by adding the following line in that file :
install squashfs /bin/true
Since the entry is about disabling squashfs file system, as informed before, it can be done by creating a new file with any random name, but in order to make it simple, the name of the file will be taken from the file system’s name which is going to be disabled. For an example :
[root@localhost modprobe.d]# touch squashfs.conf [root@localhost modprobe.d]#
Edit the file and fill it with the above content stated before which is done by executing the following command :
[root@localhost modprobe.d]# vim squashfs.conf
Inserting the configuration line ‘install squashfs /bin/true’ in the file named ‘squashfs.conf’, will automatically disable the usage of squashfs filesystem which is assumed to be an uncommon filesystem. It will prevent squashfs file system module from being loaded as part of kernel module.