https://github.com/osquery/osquery logo
Powered by
Title
z

Zach Zeid

08/17/2022, 11:30 AM
is there a way w/ osquery to see if squashfs and cramfs are enabled on a host system?
a

alessandrogario

08/17/2022, 12:10 PM
Could Augeas + the config file under /boot be helpful?
Or a Yara rule, looking for the config option string
If it is built as a module, the file table can find it
z

Zach Zeid

08/17/2022, 1:55 PM
if what is built as a module? enabling file_events?
a

alessandrogario

08/17/2022, 1:57 PM
I may have misunderstood the problem; is squashfs support in the kernel? If it is, it's either built-in or relying on a .ko kernel module somewhere on disk
Dumping the kernel build-time config will contain the configuration string, such as 
CONFIG_FEATURE_NAME
and may indicate whether it's built-in, module, or off completely
On my system: 
$ grep SQUASH /boot/config-5.18.13-200.fc36.x86_64
CONFIG_SQUASHFS=m
# CONFIG_SQUASHFS_FILE_CACHE is not set
CONFIG_SQUASHFS_FILE_DIRECT=y
# CONFIG_SQUASHFS_DECOMP_SINGLE is not set
# CONFIG_SQUASHFS_DECOMP_MULTI is not set
CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU=y
CONFIG_SQUASHFS_XATTR=y
CONFIG_SQUASHFS_ZLIB=y
CONFIG_SQUASHFS_LZ4=y
CONFIG_SQUASHFS_LZO=y
CONFIG_SQUASHFS_XZ=y
CONFIG_SQUASHFS_ZSTD=y
# CONFIG_SQUASHFS_4K_DEVBLK_SIZE is not set
# CONFIG_SQUASHFS_EMBEDDED is not set
CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3
$ find /lib/modules -type f -iname '*squash*.ko*'
/lib/modules/5.18.13-200.fc36.x86_64/kernel/fs/squashfs/squashfs.ko.xz
/lib/modules/5.18.16-200.fc36.x86_64/kernel/fs/squashfs/squashfs.ko.xz
/lib/modules/5.18.17-200.fc36.x86_64/kernel/fs/squashfs/squashfs.ko.xz
In my case it's built as a module 
CONFIG_SQUASHFS=m
otherwise those files would not be there
z

Zach Zeid

08/17/2022, 2:13 PM
Sorry, I'm not being clear myself. I'm looking at implementing CIS benchmarks for CentOS, and one of the benchmarks is 
"_1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Automated)"
, and the audit section says to run 
modprobe
. I was wondering if osquery had a way to query for such things._
a

alessandrogario

08/17/2022, 2:17 PM
I think this method does apply then; you can test whether CONFIG_SQUASHFS is set to n
https://osquery.readthedocs.io/en/stable/deployment/yara/
https://github.com/godaddy/yara-rules/blob/master/example.yara
Augeas should be able to do this too, but I am not too familiar with it
z

Zach Zeid

08/17/2022, 3:24 PM
ok perfect, thank you, I'll look into it!
3 Views
#generalJoin Slack
Powered by