Saltstack Official Linux Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

96 lines
2.8KB

  1. # CIS 1.1.14 Ensure nodev option set on /dev/shm partition (Scored)
  2. #
  3. # Description
  4. # ===========
  5. # The nodev mount option specifies that the filesystem cannot contain special
  6. # devices.
  7. #
  8. # Rationale
  9. # =========
  10. # Since the /run/shm filesystem is not intended to support devices, set this
  11. # option to ensure that users cannot attempt to create special devices in
  12. # /dev/shm partitions.
  13. #
  14. # Audit
  15. # =====
  16. # Run the following command and verify that the nodev option is set on /dev/shm .
  17. #
  18. # # mount | grep /dev/shm
  19. # shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
  20. #
  21. # Remediation
  22. # ===========
  23. #
  24. # Edit the /etc/fstab file and add nodev to the fourth field (mounting options)
  25. # for the /dev/shm partition. See the fstab(5) manual page for more information.
  26. # Run the following command to remount /dev/shm :
  27. #
  28. # # mount -o remount,nodev /dev/shm
  29. #
  30. # CIS 1.1.15 Ensure nosuid option set on /dev/shm partition (Scored)
  31. #
  32. # Description
  33. # ===========
  34. # The nosuid mount option specifies that the filesystem cannot contain setuid
  35. # files.
  36. #
  37. # Rationale
  38. # =========
  39. # Setting this option on a file system prevents users from introducing
  40. # privileged programs onto the system and allowing non-root users to execute them.
  41. #
  42. # Audit
  43. # =====
  44. # Run the following command and verify that the no suid option is set on /dev/shm .
  45. #
  46. # # mount | grep /dev/shm
  47. # shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
  48. #
  49. # Remediation
  50. # ===========
  51. # Edit the /etc/fstab file and add nosuid to the fourth field (mounting options)
  52. # for the /dev/shm partition. See the fstab(5) manual page for more information.
  53. # Run the following command to remount /dev/shm :
  54. #
  55. # # mount -o remount,nosuid /dev/shm
  56. #
  57. # 1.1.16 Ensure noexec option set on /dev/shm partition (Scored)
  58. #
  59. # Description
  60. # ===========
  61. # The noexec mount option specifies that the filesystem cannot contain
  62. # executable binaries.
  63. #
  64. # Rationale
  65. # =========
  66. # Setting this option on a file system prevents users from executing programs
  67. # from shared memory. This deters users from introducing potentially malicious
  68. # software on the system.
  69. #
  70. # Audit
  71. # =====
  72. # Run the following command and verify that the noexec option is set on /run/shm .
  73. #
  74. # # mount | grep /dev/shm
  75. # shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
  76. #
  77. # Remediation
  78. # ===========
  79. # Edit the /etc/fstab file and add noexec to the fourth field (mounting options)
  80. # for the /dev/shm partition. See the fstab(5) manual page for more information.
  81. # Run the following command to remount /dev/shm :
  82. #
  83. # # mount -o remount,noexec /dev/shm
  84. #
  85. parameters:
  86. linux:
  87. storage:
  88. mount:
  89. ensure_dev_shm_mount_options:
  90. enabled: true
  91. file_system: tmpfs
  92. device: shm
  93. path: /dev/shm
  94. opts: rw,nosuid,nodev,noexec,relatime