Linux - System Preferences - Ensure Mounting of Cramfs Filesystems is Disabled

What the cramfs disabler does

This Automox Worklet™ disables the cramfs filesystem mounting capability on Linux endpoints. The Worklet prevents the kernel from loading the cramfs module by creating a configuration file that redirects module installation to a null command.

The Worklet first detects whether the cramfs module is currently loaded on the endpoint. If present, it creates a blocking configuration file at /etc/modprobe.d/cramfs.conf and unloads the module using rmmod. This ensures that cramfs cannot be mounted, even if the system reboots.

Cramfs is a legacy compressed filesystem format that is rarely used in modern Linux deployments. Disabling unused filesystem support is a core security hardening practice recommended by compliance frameworks.

Why disable cramfs on Linux endpoints

Every loaded kernel module represents additional code running at the highest privilege level, creating potential attack vectors. Cramfs is an obsolete compressed filesystem format from the embedded systems era that provides no benefit to modern enterprise Linux deployments. Leaving unnecessary filesystem modules enabled violates the principle of least privilege and increases your attack surface. Security frameworks including CIS Benchmarks, NIST 800-53, and common Linux hardening standards specifically mandate disabling cramfs to reduce the code paths attackers could exploit for privilege escalation or kernel-level compromises.

Also, removing unnecessary kernel modules improves system maintainability and reduces complexity. When endpoints only load the filesystems they actually use, IT teams can better understand and audit their system configurations. This practice aligns with the principle of least privilege applied to kernel-level features.

How cramfs disabling works

1. Evaluation phase: The Worklet uses modprobe and lsmod commands to check if the cramfs module is installed and currently loaded on the endpoint. If cramfs is not present or already disabled, the Worklet exits without requiring remediation.

2. Remediation phase: The Worklet creates /etc/modprobe.d/cramfs.conf with the line "install cramfs /bin/true" to prevent future module loading, then immediately unloads the currently loaded module using rmmod cramfs. The configuration persists across reboots.

Cramfs disabling requirements

• Linux endpoints (any distribution: Red Hat, Ubuntu, Debian, CentOS, etc.)

• Root or sudo access to execute modprobe, lsmod, and rmmod commands

• Automox Agent version 1.42.22 or later

• Write permissions to /etc/modprobe.d/ directory

• Note: Kernel-level changes may require a reboot to take full effect on some systems

Expected cramfs security state

After successful remediation, the endpoint enters a hardened security state where cramfs filesystem support is permanently disabled. The cramfs module is immediately unloaded from the running kernel and blocked from loading in future boot cycles. The endpoint achieves compliance with CIS Benchmark section 1.1.1.2 for disabled unnecessary filesystems. You can verify the change by running "lsmod | grep cramfs" in a terminal–this command returns no results when cramfs is properly disabled. Running "modprobe cramfs" will fail with an error message, confirming the module is blocked at the kernel level.

The remediation file /etc/modprobe.d/cramfs.conf will remain in place, verifying that even if the system reboots or administrators attempt to load cramfs, the kernel will refuse the request. This persistent configuration aligns with system hardening best practices and maintains your compliance posture over time.

How to validate verify mounting of cramfs filesystems is disabled changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for verify mounting of cramfs filesystems is disabled.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as else, exit.

4. Validate remediation effects from script operations such as function, touch, rmmod, then rerun evaluation for compliance.