Linux - System Preferences - Ensure Mounting of Hfsplus Filesystems is Disabled

What the hfsplus disabler does

This Automox Worklet™ detects whether hfsplus filesystem support is enabled on Linux endpoints and, if found, disables it by creating a modprobe configuration file and unloading the kernel module.

The Worklet specifically checks for the hfsplus module using modprobe, verifies whether the module is currently loaded via lsmod, and then prevents the module from loading in the future by installing a rule in /etc/modprobe.d/hfsplus.conf that maps the install command to /bin/true.

d/hfsplus.conf".

This approach effectively disables hfsplus while maintaining backward compatibility and allowing the endpoint to continue operating without kernel-level changes until the next reboot.

Why disable hfsplus filesystem support

Linux endpoints with the hfsplus module enabled can mount Mac-formatted drives even when your organization has no Mac infrastructure, creating an unnecessary attack surface. Attackers exploit filesystem parsing vulnerabilities to trigger kernel-level code execution or use specially crafted HFS Plus filesystems on USB drives to deliver malware. The module remains loaded by default despite serving no legitimate purpose on pure Linux environments.

This Automox Worklet eliminates this risk by blocking the hfsplus module through modprobe configuration. The approach aligns with CIS Distribution Independent Linux v2.0.0 benchmarks requiring removal of unused filesystem support. You reduce kernel-level exposure and prevent unauthorized filesystem access by disabling the module before attackers can exploit filesystem vulnerabilities for privilege escalation.

How hfsplus module disabling works

1. Evaluation phase: The Worklet checks if the hfsplus module exists on the endpoint using modprobe -n -v hfsplus. If the module is not found, the Worklet exits successfully. If the module exists, the Worklet checks whether it is currently loaded by parsing lsmod output. If the module is loaded, the Worklet reports non-compliance and triggers remediation.

2. Remediation phase: The Worklet creates /etc/modprobe.d/hfsplus.conf with an install rule that redirects hfsplus loading to /bin/true, preventing the module from ever loading. The Worklet then immediately unloads the currently running hfsplus module using rmmod hfsplus. Finally, the Worklet verifies that the module is no longer loaded and reports success.

HFS Plus disabler requirements

• Linux endpoints (workstations or servers)

• Bash shell support

• Root or sudo privileges to modify /etc/modprobe.d/ and execute rmmod

• Automox Agent version 1.42.22 or later

• FixNow feature license (RunNow capability)

Expected filesystem security state

After completion, the hfsplus kernel module is unloaded from memory and blocked from loading in future. The file /etc/modprobe.d/hfsplus.conf contains the install rule redirecting to /bin/true, which prevents the module from ever loading again. Endpoints cannot mount HFS Plus filesystems from external drives, and attempts to access Mac-formatted USB drives fail with "unknown filesystem type" errors.

Verify the module is disabled by running lsmod | grep hfsplus, which returns no output when successful. Check the configuration file with cat /etc/modprobe.d/hfsplus.conf to confirm the install rule exists. Test by attempting to mount an HFS Plus filesystem, which fails as expected. The changes persist across reboots and require manual removal of the configuration file to reverse.

How to validate verify mounting of hfsplus filesystems is disabled changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for verify mounting of hfsplus filesystems is disabled.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as else, exit.

4. Validate remediation effects from script operations such as function, touch, rmmod, then rerun evaluation for compliance.