Bläddra i källkod
CIS 1.1.21 Disable Automounting
Related-Prod: PROD-22653 Change-Id: I5b389309f0cb2890cf9a9a777348efb5a9d7d735pull/138/merge
Dmitry Teselkin
6 år sedan
2 ändrade filer med 55 tillägg och 1 borttagningar
+ 53
- 0
metadata/service/system/cis/cis-1-1-21.yml
Visa fil
| @@ -0,0 +1,53 @@ | |||
| # CIS 1.1.21 Disable Automounting | |||
| # | |||
| # Description | |||
| # =========== | |||
| # autofs allows automatic mounting of devices, typically including CD/DVDs | |||
| # and USB drives. | |||
| # | |||
| # Rationale | |||
| # ========= | |||
| # With automounting enabled anyone with physical access could attach a USB | |||
| # drive or disc and have its contents available in system even if they lacked | |||
| # permissions to mount it themselves. | |||
| # | |||
| # Audit | |||
| # ===== | |||
| # Run the following command to verify autofs is not enabled: | |||
| # | |||
| # # systemctl is-enabled autofs | |||
| # disabled | |||
| # | |||
| # Verify result is not "enabled". | |||
| # | |||
| # Remediation | |||
| # =========== | |||
| # | |||
| # Run the following command to disable autofs : | |||
| # | |||
| # # systemctl disable autofs | |||
| # | |||
| # Impact | |||
| # ====== | |||
| # The use portable hard drives is very common for workstation users. If your | |||
| # organization allows the use of portable storage or media on workstations | |||
| # and physical access controls to workstations is considered adequate there | |||
| # is little value add in turning off automounting. | |||
| # | |||
| # Notes | |||
| # ===== | |||
| # This control should align with the tolerance of the use of portable drives | |||
| # and optical media in the organization. On a server requiring an admin to | |||
| # manually mount media can be part of defense-in-depth to reduce the risk of | |||
| # unapproved software or information being introduced or proprietary software | |||
| # or information being exfiltrated. If admins commonly use flash drives and | |||
| # Server access has sufficient physical controls, requiring manual mounting | |||
| # may not increase security. | |||
| # | |||
| parameters: | |||
| linux: | |||
| system: | |||
| service: | |||
| autofs: | |||
| status: disabled | |||
+ 2
- 1
metadata/service/system/cis/init.yml
Visa fil
| @@ -1,5 +1,4 @@ | |||
| classes: | |||
| - service.linux.system.cis.cis-1-1-14_15_16 | |||
| - service.linux.system.cis.cis-1-1-1-1 | |||
| - service.linux.system.cis.cis-1-1-1-2 | |||
| - service.linux.system.cis.cis-1-1-1-3 | |||
| @@ -8,6 +7,8 @@ classes: | |||
| - service.linux.system.cis.cis-1-1-1-6 | |||
| - service.linux.system.cis.cis-1-1-1-7 | |||
| - service.linux.system.cis.cis-1-1-1-8 | |||
| - service.linux.system.cis.cis-1-1-14_15_16 | |||
| - service.linux.system.cis.cis-1-1-21 | |||
| - service.linux.system.cis.cis-1-5-1 | |||
| - service.linux.system.cis.cis-1-5-3 | |||
| - service.linux.system.cis.cis-1-5-4 | |||
Laddar…