This is another article which is also a review about one of the recommendation which is compiled from CIS (Center for Internet Security) regarding on CentOS 7 Linux benchmark. The recommendation which focus on providing a guidelines to establish standard of a secure configuration implemented in server running CentOS 7 either in x86 or x64 platforms is disabling udf filesystem.
By disabling udf which is one of linux filesystem’s type, it is expected to add another point for hardening security in the operating system level. In this context, udf based on Wikipedia’s definition is known as Universal Disk Format (UDF), it is a profile of the specification known as ISO/IEC 13346 and ECMA-167 and is an open vendor-neutral file system for computer data storage for a broad range of media. In practice, it has been most widely used for DVDs and newer optical disc formats, supplanting ISO 9660. The information about udf itself in the previous definition can be found in this link and it also can be viewed in a more detailed description.
Depends on the version of the operating system, in this case CentOS Linux distribution can use the recommendation which is classified and specified not only in the Guide to the Secure Configuration of Redhat Enterprise Linux 6 where the full recommendation of it can be accessed as a webpage in this link but also in the Guide to the Secure Configuration of Redhat Enterprise Linux 7 which can be found in this link in form of a webpage. The PDF file version is available for download in this link. The CCE Identifiers or CCE ID for Disabling Mounting of udf is CCE-26677-5 in RedHat Enterprise Linux 6 and on the other hand the CCE ID for Disabling Mounting of UDF isCCE-80143-1 for RedHat Enterprise Linux 7.
To enhance security of the operating system, if udf file system is not used which is considered as uncommon filesystem, the recommendation given from CIS which is compiled in a single document regarding standard for securing configuration on CentOS 7 which is derived from RHEL 7 is to permanently disable the udf file system.
The step for disabling udf file system is by creating a new file or modifying an existing file which is located in /etc/modprobe.d. Add the following line in that file :
install udf /bin/true
The entry shown above is used to disable udf file system. As it has already stated before, it can be done by creating a new file with any kind of name, for an example to make it easy, create the same name with the file system which is going to be disabled. For an example :
[root@localhost modprobe.d]# touch udf.conf [root@localhost modprobe.d]#
Edit the file and fill it with the above content stated before which is done by executing the following command :
[root@localhost modprobe.d]# vim udf.conf
By adding ‘install udf /bin/true’ in the new created file above named ‘udf.conf’, it will prevents usage of the udf filesystem which is classified to be an uncommon filesystem. It is actually done by preventing udf file system kernel module from being loaded.