CIS compliance (/dev/shm mount options)

* CIS 1.1.14 Ensure nodev option set on /dev/shm partition (Scored)
* CIS 1.1.15 Ensure nosuid option set on /dev/shm partition (Scored)
* CIS 1.1.16 Ensure noexec option set on /dev/shm partition (Scored)

Related-Prod: PROD-22652

Change-Id: I35f371ce36bae6104e0176f63bd43a8fc4e5bad3

metadata/service/system/cis/cis-1-1-14_15_16.yml

@@ -0,0 +1,95 @@
+# CIS 1.1.14 Ensure nodev option set on /dev/shm partition (Scored)
+#
+# Description
+# ===========
+# The nodev mount option specifies that the filesystem cannot contain special
+# devices.
+#
+# Rationale
+# =========
+# Since the /run/shm filesystem is not intended to support devices, set this
+# option to ensure that users cannot attempt to create special devices in
+# /dev/shm partitions.
+#
+# Audit
+# =====
+# Run the following command and verify that the nodev option is set on /dev/shm .
+#
+#   # mount | grep /dev/shm
+#   shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
+#
+# Remediation
+# ===========
+#
+# Edit the /etc/fstab file and add nodev to the fourth field (mounting options)
+# for the /dev/shm partition. See the fstab(5) manual page for more information.
+# Run the following command to remount /dev/shm :
+#
+#   # mount -o remount,nodev /dev/shm
+#
+# CIS 1.1.15 Ensure nosuid option set on /dev/shm partition (Scored)
+#
+# Description
+# ===========
+# The nosuid mount option specifies that the filesystem cannot contain setuid
+# files.
+#
+# Rationale
+# =========
+# Setting this option on a file system prevents users from introducing
+# privileged programs onto the system and allowing non-root users to execute them.
+#
+# Audit
+# =====
+# Run the following command and verify that the no suid option is set on /dev/shm .
+#
+#   # mount | grep /dev/shm
+#   shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
+#
+# Remediation
+# ===========
+# Edit the /etc/fstab file and add nosuid to the fourth field (mounting options)
+# for the /dev/shm partition. See the fstab(5) manual page for more information.
+# Run the following command to remount /dev/shm :
+#
+#   # mount -o remount,nosuid /dev/shm
+#
+# 1.1.16 Ensure noexec option set on /dev/shm partition (Scored)
+#
+# Description
+# ===========
+# The noexec mount option specifies that the filesystem cannot contain
+# executable binaries.
+#
+# Rationale
+# =========
+# Setting this option on a file system prevents users from executing programs
+# from shared memory. This deters users from introducing potentially malicious
+# software on the system.
+#
+# Audit
+# =====
+# Run the following command and verify that the noexec option is set on /run/shm .
+#
+#   # mount | grep /dev/shm
+#   shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
+#
+# Remediation
+# ===========
+# Edit the /etc/fstab file and add noexec to the fourth field (mounting options)
+# for the /dev/shm partition. See the fstab(5) manual page for more information.
+# Run the following command to remount /dev/shm :
+#
+#   # mount -o remount,noexec /dev/shm
+#
+parameters:
+  linux:
+    storage:
+      mount:
+        ensure_dev_shm_mount_options:
+          enabled: true
+          file_system: tmpfs
+          device: shm
+          path: /dev/shm
+          opts: rw,nosuid,nodev,noexec,relatime
+

metadata/service/system/cis/init.yml

@@ -1,4 +1,5 @@
 classes:
+- service.linux.system.cis.cis-1-1-14_15_16
 - service.linux.system.cis.cis-1-5-1
 - service.linux.system.cis.cis-1-5-3
 - service.linux.system.cis.cis-3-1-2