瀏覽代碼

CIS 1.1.21 Disable Automounting

Related-Prod: PROD-22653

Change-Id: I5b389309f0cb2890cf9a9a777348efb5a9d7d735
pull/138/merge
Dmitry Teselkin 6 年之前
父節點
當前提交
def4bdd931
共有 2 個文件被更改,包括 55 次插入1 次删除
  1. +53
    -0
      metadata/service/system/cis/cis-1-1-21.yml
  2. +2
    -1
      metadata/service/system/cis/init.yml

+ 53
- 0
metadata/service/system/cis/cis-1-1-21.yml 查看文件

@@ -0,0 +1,53 @@
# CIS 1.1.21 Disable Automounting
#
# Description
# ===========
# autofs allows automatic mounting of devices, typically including CD/DVDs
# and USB drives.
#
# Rationale
# =========
# With automounting enabled anyone with physical access could attach a USB
# drive or disc and have its contents available in system even if they lacked
# permissions to mount it themselves.
#
# Audit
# =====
# Run the following command to verify autofs is not enabled:
#
# # systemctl is-enabled autofs
# disabled
#
# Verify result is not "enabled".
#
# Remediation
# ===========
#
# Run the following command to disable autofs :
#
# # systemctl disable autofs
#
# Impact
# ======
# The use portable hard drives is very common for workstation users. If your
# organization allows the use of portable storage or media on workstations
# and physical access controls to workstations is considered adequate there
# is little value add in turning off automounting.
#
# Notes
# =====
# This control should align with the tolerance of the use of portable drives
# and optical media in the organization. On a server requiring an admin to
# manually mount media can be part of defense-in-depth to reduce the risk of
# unapproved software or information being introduced or proprietary software
# or information being exfiltrated. If admins commonly use flash drives and
# Server access has sufficient physical controls, requiring manual mounting
# may not increase security.
#
parameters:
linux:
system:
service:
autofs:
status: disabled


+ 2
- 1
metadata/service/system/cis/init.yml 查看文件

@@ -1,5 +1,4 @@
classes:
- service.linux.system.cis.cis-1-1-14_15_16
- service.linux.system.cis.cis-1-1-1-1
- service.linux.system.cis.cis-1-1-1-2
- service.linux.system.cis.cis-1-1-1-3
@@ -8,6 +7,8 @@ classes:
- service.linux.system.cis.cis-1-1-1-6
- service.linux.system.cis.cis-1-1-1-7
- service.linux.system.cis.cis-1-1-1-8
- service.linux.system.cis.cis-1-1-14_15_16
- service.linux.system.cis.cis-1-1-21
- service.linux.system.cis.cis-1-5-1
- service.linux.system.cis.cis-1-5-3
- service.linux.system.cis.cis-1-5-4

Loading…
取消
儲存