Linux - System Preferences - Ensure Mounting of Squashfs Filesystems is Disabled

What the squashfs filesystem disabler does

This Automox Worklet™ disables the squashfs filesystem mounting capability on Linux endpoints. Squashfs is a compressed read-only filesystem commonly used in embedded systems and Linux distributions, but unnecessary on standard server and workstation deployments.

The Worklet prevents the squashfs kernel module from loading by creating a modprobe configuration file that blocks module installation. This ensures that even if someone attempts to mount a squashfs filesystem, the kernel denies the operation.

Why disable squashfs mounting on Linux

Unnecessary filesystem types increase attack surface and create potential vulnerability vectors. When your Linux endpoints do not require squashfs capabilities, the loaded kernel module adds complexity without providing operational value. Adversaries who gain unauthorized access can exploit kernel-level vulnerabilities in specific filesystem implementations.

Restricting filesystem capabilities limits what adversaries can do if they gain unauthorized access. Kernel-level vulnerabilities affecting specific filesystem types cannot be exploited if the filesystem is not available on the system.

This control satisfies CIS Distribution Independent Linux v2.0.0 requirements and helps IT operations teams meet compliance obligations for security hardening.

How squashfs filesystem disabling works

1. Evaluation phase: Checks if the squashfs module is installed and currently loaded using modprobe and lsmod commands. If the module is not loaded, the Worklet exits without making changes.

2. Remediation phase: Creates /etc/modprobe.d/squashfs.conf with an install rule that disables module loading, then uses rmmod to unload any currently loaded squashfs kernel module from memory.

Squashfs filesystem disabling requirements

• Linux endpoints (workstations or servers)

• Root or sudo access required to modify kernel module settings and create modprobe configuration files

• Bash shell environment

• Standard Linux utilities: modprobe, lsmod, rmmod, touch, echo

• Automox agent version 1.42.22 or later

Expected squashfs filesystem state after remediation

After remediation, the squashfs kernel module cannot be loaded on the endpoint, even if explicitly requested. Any attempt to mount a squashfs filesystem will fail with a module unavailable error. The modprobe configuration persists across system reboots, maintaining this security posture permanently. You can verify the change by running lsmod to confirm squashfs is not listed and checking that /etc/modprobe.d/squashfs.conf contains the install blocking rule. This configuration satisfies CIS Distribution Independent Linux v2.0.0 benchmark requirements for filesystem hardening.

Note that as a kernel-level change, some endpoints may require a reboot to fully clear the module from memory, though the modprobe configuration takes effect immediately. You can verify the change by checking that lsmod does not list squashfs and that /etc/modprobe.d/squashfs.conf contains the install blocking rule.

How to validate verify mounting of squashfs filesystems is disabled changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for verify mounting of squashfs filesystems is disabled.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as else, exit.

4. Validate remediation effects from script operations such as function, touch, rmmod, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for verify mounting of squashfs filesystems is disabled. This supports repeatable system preferences workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as else, exit and remediation operations such as function, touch, rmmod. Use these indicators to verify that endpoint changes match intended policy outcomes.