Description: The vFAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module. Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it. Audit: If utilizing UEFI the vFAT filesystem format is required. If this case, ensure that the vFAT filesystem is only used where appropriate Run the following command grep -E -i 'svfats' /etc/fstab And review that any output is appropriate for your environment If not utilizing UEFI Run the following commands and verify the output is as indicated: # modprobe -n -v vfat install /bin/true # lsmod | grep vfat Remediation: Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/vfat.conf install vfat /bin/true Run the following command to unload the vfat module: # rmmod vfat Impact: The FAT filesystem format is used by UEFI systems for the EFI boot partition. Disabling the vfat module can prevent boot on UEFI systems. FAT filesystems are often used on portable USB sticks and other flash media which are commonly used to transfer files between workstations, removing VFAT support may prevent the ability to transfer files in this way.

[yes/no]

Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/vfat.conf install vfat /bin/true Run the following command to unload the vfat module: # rmmod vfat