For CVE-2021-33909 the Qualys folks mentioned another potential attack vector via FUSE. We have a handful of hosts which need FUSE (namely for HDFS mounts), but for wide majority of servers we only use native filesystems implemented within Linux. As such, reduce the attackable footprint by
- blacklisting the fuse kernel module
- prune the "fuse" package from Puppet (which includes a setuid binary) where not needed
We need to audit the existing uses cases for FUSE and enable them via a Hiera flag. In addition it seems that on Bullseye, the "fuse" kernel module always gets loaded, needs to be figured out what triggers this.
Current list of hosts which have the "fuse" kernel module loaded:
bullseye hosts: copernicium.wikimedia.org: fuse 167936 1 cumin2002.codfw.wmnet: fuse 167936 1 failoid1002.eqiad.wmnet: fuse 167936 1 failoid2002.codfw.wmnet: fuse 167936 1 ldap-replica1003.wikimedia.org: fuse 167936 1 ldap-replica1004.wikimedia.org: fuse 167936 1 ldap-replica2005.wikimedia.org: fuse 167936 1 ldap-replica2006.wikimedia.org: fuse 167936 1 people1003.eqiad.wmnet: fuse 167936 1 people2002.codfw.wmnet: fuse 167936 1 rdb1011.eqiad.wmnet: fuse 167936 1 rdb1012.eqiad.wmnet: fuse 167936 1 rdb2007.codfw.wmnet: fuse 167936 1 rdb2008.codfw.wmnet: fuse 167936 1 rdb2009.codfw.wmnet: fuse 167936 1 rdb2010.codfw.wmnet: fuse 167936 1 sretest1002.eqiad.wmnet: fuse 167936 1 thanos-fe2001.codfw.wmnet: fuse 167936 1 theemin.codfw.wmnet: fuse 167936 1 buster hosts: an-airflow1001.eqiad.wmnet: fuse 122880 3 an-coord1001.eqiad.wmnet: fuse 122880 3 an-coord1002.eqiad.wmnet: fuse 122880 3 an-launcher1002.eqiad.wmnet: fuse 122880 3 an-test-client1001.eqiad.wmnet: fuse 122880 3 an-test-coord1001.eqiad.wmnet: fuse 122880 3 labstore1006.wikimedia.org: fuse 122880 3 labstore1007.wikimedia.org: fuse 122880 3 stat1004.eqiad.wmnet: fuse 122880 3 stat1005.eqiad.wmnet: fuse 163840 3 stat1006.eqiad.wmnet: fuse 122880 3 stat1007.eqiad.wmnet: fuse 122880 3 stat1008.eqiad.wmnet: fuse 139264 3