禁用某些文件系统的挂载

tag-icon tag-icon filesystem security lynis
禁用某些文件系统的挂载

我跑了莱尼斯在我的 Ubuntu 16.04.2 LTS 客户机上。我一直在解决问题,但经过大量搜索(包括在这个网站上),我似乎找不到解决这些点数损失的建议。任何指示都将不胜感激。

Performing test ID FILE-6430 (Disable mounting of some filesystems)
Result: found module support in kernel: insmod /lib/modules/4.4.0-81-generic/kernel/fs/cramfs/cramfs.ko 
Test: Checking if cramfs is active
Result: module cramfs is not loaded in the kernel
Hardening: assigned partial number of hardening points (2 of 3). Currently having 80 points (out of 87)
Result: found module support in kernel: insmod /lib/modules/4.4.0-81-generic/kernel/fs/freevxfs/freevxfs.ko 
Test: Checking if freevxfs is active
Result: module freevxfs is not loaded in the kernel
Hardening: assigned partial number of hardening points (2 of 3). Currently having 82 points (out of 90)
Result: found module support in kernel: insmod /lib/modules/4.4.0-81-generic/kernel/fs/hfs/hfs.ko 
Test: Checking if hfs is active
Result: module hfs is not loaded in the kernel
Hardening: assigned partial number of hardening points (2 of 3). Currently having 84 points (out of 93)
Result: found module support in kernel: insmod /lib/modules/4.4.0-81-generic/kernel/fs/hfsplus/hfsplus.ko 
Test: Checking if hfsplus is active
Result: module hfsplus is not loaded in the kernel
Hardening: assigned partial number of hardening points (2 of 3). Currently having 86 points (out of 96)
Result: found module support in kernel: insmod /lib/modules/4.4.0-81-generic/kernel/fs/jffs2/jffs2.ko 
Test: Checking if jffs2 is active
Result: module jffs2 is not loaded in the kernel
Hardening: assigned partial number of hardening points (2 of 3). Currently having 88 points (out of 99)
Hardening: assigned maximum number of hardening points for this item (3). Currently having 91 points (out of 102)
Result: found module support in kernel: insmod /lib/modules/4.4.0-81-generic/kernel/fs/udf/udf.ko 
Test: Checking if udf is active
Result: module udf is not loaded in the kernel
Hardening: assigned partial number of hardening points (2 of 3). Currently having 93 points (out of 105)
Checking permissions of /usr/share/lynis/include/tests_storage
File permissions are OK

答案1

我找到答案了。编辑文件

/etc/modprobe.d/blacklist.conf

并将以下内容添加到末尾

# instruct modprobe to force inactive modules to always fail loading
install cramfs /bin/false
install freevxfs /bin/false
install hfs /bin/false
install hfsplus /bin/false
install jffs2 /bin/false
install udf /bin/false

相关内容