In this article, there will be a review about one of the recommendation which is compiled from CIS (Center for Internet Security) regarding on CentOS 7 Linux benchmark. The focus is providing a guidelines to establish standard for a secure configuration implemented in server running CentOS 7 either in x86 or x64 platforms. For further reference, it can be viewed in the following link. It is the website intended for security benchmarking which is supported by an organization called CIS (Center for Internet Security) and it can be visited in this link.
The recommendation in this context is disabling cramfs which is one of a type of linux filesystem. In this context, cramfs based on Wikipedia’s definition is know as compressed ROM file system (or cramfs), and it is a free (GPL‘ed) read-only Linux file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems. The information about cramfs can be found in this link.
The recommendation itself is one of CCE Identifiers specified in Guide to the Secure Configuration of Redhat Enterprise Linux 6. The CCE Identifiers or CCE ID for Disabling Mounting of cramfs is CCE-26340-0. The full recommendation can be accessed as a webpage in this link. On the other hand, CentOS 7 which is analog and can be compared generally with Redhat Enterprise Linux 7 has its own full recommendation which can be found in this link in form of a webpage and in this link in form of PDF file. The CCE ID for the recommendation on Disabling Mounting cramfs is CCE-80137-3.
If cramfs file system is not used, the recommendation given from CIS which is compiled in a single document regarding standard for secure configuration on CentOS 7 is to permanently disable the file system.
To disable the file system, the step which is necessary to be executed is to define a certain line of configuration which is placed in /etc/modprobe.d. Just create a new file and implement the necessary configuration on that file. The file where the configuration was placed can have any file name but the most important thing is it must contains the configuration specified below :
install cramfs /bin/true
The above entry is used to disable cramfs file system. Just create a file with any kind of name, for an example to make it easy, create the same name with the file system which is going to be disabled. For an example :
[root@localhost modprobe.d]# touch cramfs.conf [root@localhost modprobe.d]#
Edit the file and fill it with the above content stated before which is done by executing the following command :
[root@localhost modprobe.d]# vim cramfs.conf
By adding ‘install cramfs /bin/true’ in the new created file above named ‘cramfs.conf’, it will prevents usage of the cramfs filesystem which is generally uncommon. It is actually done by preventing
cramfs kernel module from being loaded.