* CIS 1.1.14 Ensure nodev option set on /dev/shm partition (Scored) * CIS 1.1.15 Ensure nosuid option set on /dev/shm partition (Scored) * CIS 1.1.16 Ensure noexec option set on /dev/shm partition (Scored) Related-Prod: PROD-22652 Change-Id: I35f371ce36bae6104e0176f63bd43a8fc4e5bad3

il y a 6 ans · ca10ffa318
--- a/metadata/service/system/cis/cis-1-1-14_15_16.yml
+++ b/metadata/service/system/cis/cis-1-1-14_15_16.yml
@@ -0,0 +1,95 @@
 # CIS 1.1.14 Ensure nodev option set on /dev/shm partition (Scored)
 #
 # Description
 # ===========
 # The nodev mount option specifies that the filesystem cannot contain special
 # devices.
 #
 # Rationale
 # =========
 # Since the /run/shm filesystem is not intended to support devices, set this
 # option to ensure that users cannot attempt to create special devices in
 # /dev/shm partitions.
 #
 # Audit
 # =====
 # Run the following command and verify that the nodev option is set on /dev/shm .
 #
 #   # mount | grep /dev/shm
 #   shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
 #
 # Remediation
 # ===========
 #
 # Edit the /etc/fstab file and add nodev to the fourth field (mounting options)
 # for the /dev/shm partition. See the fstab(5) manual page for more information.
 # Run the following command to remount /dev/shm :
 #
 #   # mount -o remount,nodev /dev/shm
 #
 # CIS 1.1.15 Ensure nosuid option set on /dev/shm partition (Scored)
 #
 # Description
 # ===========
 # The nosuid mount option specifies that the filesystem cannot contain setuid
 # files.
 #
 # Rationale
 # =========
 # Setting this option on a file system prevents users from introducing
 # privileged programs onto the system and allowing non-root users to execute them.
 #
 # Audit
 # =====
 # Run the following command and verify that the no suid option is set on /dev/shm .
 #
 #   # mount | grep /dev/shm
 #   shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
 #
 # Remediation
 # ===========
 # Edit the /etc/fstab file and add nosuid to the fourth field (mounting options)
 # for the /dev/shm partition. See the fstab(5) manual page for more information.
 # Run the following command to remount /dev/shm :
 #
 #   # mount -o remount,nosuid /dev/shm
 #
 # 1.1.16 Ensure noexec option set on /dev/shm partition (Scored)
 #
 # Description
 # ===========
 # The noexec mount option specifies that the filesystem cannot contain
 # executable binaries.
 #
 # Rationale
 # =========
 # Setting this option on a file system prevents users from executing programs
 # from shared memory. This deters users from introducing potentially malicious
 # software on the system.
 #
 # Audit
 # =====
 # Run the following command and verify that the noexec option is set on /run/shm .
 #
 #   # mount | grep /dev/shm
 #   shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
 #
 # Remediation
 # ===========
 # Edit the /etc/fstab file and add noexec to the fourth field (mounting options)
 # for the /dev/shm partition. See the fstab(5) manual page for more information.
 # Run the following command to remount /dev/shm :
 #
 #   # mount -o remount,noexec /dev/shm
 #
 parameters:
  linux:
    storage:
      mount:
        ensure_dev_shm_mount_options:
          enabled: true
          file_system: tmpfs
          device: shm
          path: /dev/shm
          opts: rw,nosuid,nodev,noexec,relatime

--- a/metadata/service/system/cis/init.yml
+++ b/metadata/service/system/cis/init.yml
@@ -1,4 +1,5 @@
 classes:
 - service.linux.system.cis.cis-1-1-14_15_16
 - service.linux.system.cis.cis-1-5-1
 - service.linux.system.cis.cis-1-5-3
 - service.linux.system.cis.cis-3-1-2