Reducing the attack surface of a server is critical for maintaining a secure infrastructure. One step in this process is disabling unused filesystem types, such as CRAMFS (Compressed ROM File System), which is commonly found in small embedded Linux systems. If your server does not rely on this filesystem, it’s a good practice to disable it.
This blog post provides an easy way to disable CRAMFS with a single command and explains the rationale behind this security measure.
What is CRAMFS?
The CRAMFS filesystem is a compressed, read-only Linux filesystem that is often embedded in small footprint systems. Since it’s a legacy system, many servers and setups do not require it anymore. By disabling it, you reduce the local attack surface, ensuring your server is more secure.
Why Disable CRAMFS?
If CRAMFS isn’t needed, disabling it minimizes the chances of a security vulnerability being exploited through this filesystem. Systems that leave this unused service running can become targets for attackers who know how to exploit it.
Compliance Standards
Disabling CRAMFS can help you align with several security compliance frameworks:
- CIS: 1.1.1.1
- CMMC v2.0: AC.1.002, CM.2.061, SC.3.180
- ISO 27001-2013: A.8.1.3, A.14.2.5
- NIST SP 800-53: AU-2, CM-1, CM-2, CM-6, CM-7, IA-5, IA-6, SC-20, SC-21
- PCI DSS v3.2.1: 2.2
These standards emphasize system hardening by disabling unnecessary services, reducing the attack surface, and enhancing security.
How to Disable CRAMFS in One Click
We’ve made it simple to disable CRAMFS with just one command using wget
and bash
. The script linked below will handle everything for you.
Run the following command to disable CRAMFS:
bash -c "$(wget -qLO - https://clouds.innocentmichael.org/index.php/s/MzpHQzJdNYYftXa/download/disable_cramfs.sh)"
Manual Steps (for advanced users)
If you prefer a manual approach, follow these steps:
- Create a configuration file:
vim /etc/modprobe.d/cramfs.conf
- Add the following line to the file:
install cramfs /bin/true
- Unload the CRAMFS module:
rmmod cramfs
Conclusion
Disabling unnecessary services such as CRAMFS is a key step toward securing your server. By following the steps above or using the provided script, you can easily implement this security enhancement and comply with recognized security standards.
By making a small change today, you can better protect your infrastructure from potential vulnerabilities tomorrow.