|
 |
a297d8 |
From cbede36c7a4e35cb882c35892cff72f9f190cbf9 Mon Sep 17 00:00:00 2001
|
|
|
a297d8 |
From: Milan Lysonek <mlysonek@redhat.com>
|
|
|
a297d8 |
Date: Mon, 8 Feb 2021 15:57:43 +0100
|
|
|
a297d8 |
Subject: [PATCH 1/5] Add nodev,nosuid,noexec options to /boot in ANSSI
|
|
|
a297d8 |
kickstart
|
|
|
a297d8 |
|
|
|
a297d8 |
---
|
|
|
a297d8 |
rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg | 2 +-
|
|
|
a297d8 |
rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg | 2 +-
|
|
|
a297d8 |
rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg | 2 +-
|
|
|
a297d8 |
rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 2 +-
|
|
|
a297d8 |
rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 2 +-
|
|
|
a297d8 |
rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 2 +-
|
|
|
a297d8 |
6 files changed, 6 insertions(+), 6 deletions(-)
|
|
|
a297d8 |
|
|
|
a297d8 |
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
|
|
a297d8 |
index 1d35bedb91..c381512476 100644
|
|
|
a297d8 |
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
|
|
a297d8 |
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
|
|
|
a297d8 |
@@ -99,7 +99,7 @@ zerombr
|
|
|
a297d8 |
clearpart --linux --initlabel
|
|
|
a297d8 |
|
|
|
a297d8 |
# Create primary system partitions (required for installs)
|
|
|
a297d8 |
-part /boot --fstype=xfs --size=512
|
|
|
a297d8 |
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
|
|
a297d8 |
part pv.01 --grow --size=1
|
|
|
a297d8 |
|
|
|
a297d8 |
# Create a Logical Volume Management (LVM) group (optional)
|
|
|
a297d8 |
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
|
|
a297d8 |
index 73225c2fab..a672b38b83 100644
|
|
|
a297d8 |
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
|
|
a297d8 |
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
|
|
|
a297d8 |
@@ -103,7 +103,7 @@ zerombr
|
|
|
a297d8 |
clearpart --linux --initlabel
|
|
|
a297d8 |
|
|
|
a297d8 |
# Create primary system partitions (required for installs)
|
|
|
a297d8 |
-part /boot --fstype=xfs --size=512
|
|
|
a297d8 |
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
|
|
a297d8 |
part pv.01 --grow --size=1
|
|
|
a297d8 |
|
|
|
a297d8 |
# Create a Logical Volume Management (LVM) group (optional)
|
|
|
a297d8 |
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
|
|
a297d8 |
index 20c4c59a78..88a7cee8ab 100644
|
|
|
a297d8 |
--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
|
|
a297d8 |
+++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
|
|
|
a297d8 |
@@ -99,7 +99,7 @@ zerombr
|
|
|
a297d8 |
clearpart --linux --initlabel
|
|
|
a297d8 |
|
|
|
a297d8 |
# Create primary system partitions (required for installs)
|
|
|
a297d8 |
-part /boot --fstype=xfs --size=512
|
|
|
a297d8 |
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
|
|
a297d8 |
part pv.01 --grow --size=1
|
|
|
a297d8 |
|
|
|
a297d8 |
# Create a Logical Volume Management (LVM) group (optional)
|
|
|
a297d8 |
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
|
|
a297d8 |
index 728946ecb7..6f66a3774b 100644
|
|
|
a297d8 |
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
|
|
a297d8 |
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
|
|
|
a297d8 |
@@ -90,7 +90,7 @@ zerombr
|
|
|
a297d8 |
clearpart --linux --initlabel
|
|
|
a297d8 |
|
|
|
a297d8 |
# Create primary system partitions (required for installs)
|
|
|
a297d8 |
-part /boot --fstype=xfs --size=512
|
|
|
a297d8 |
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
|
|
a297d8 |
part pv.01 --grow --size=1
|
|
|
a297d8 |
|
|
|
a297d8 |
# Create a Logical Volume Management (LVM) group (optional)
|
|
|
a297d8 |
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
|
|
a297d8 |
index cd0eff2625..b5c09253a5 100644
|
|
|
a297d8 |
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
|
|
a297d8 |
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
|
|
|
a297d8 |
@@ -94,7 +94,7 @@ zerombr
|
|
|
a297d8 |
clearpart --linux --initlabel
|
|
|
a297d8 |
|
|
|
a297d8 |
# Create primary system partitions (required for installs)
|
|
|
a297d8 |
-part /boot --fstype=xfs --size=512
|
|
|
a297d8 |
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
|
|
a297d8 |
part pv.01 --grow --size=1
|
|
|
a297d8 |
|
|
|
a297d8 |
# Create a Logical Volume Management (LVM) group (optional)
|
|
|
a297d8 |
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
|
|
a297d8 |
index 3a241b06f4..fb785e0c11 100644
|
|
|
a297d8 |
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
|
|
a297d8 |
+++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
|
|
|
a297d8 |
@@ -90,7 +90,7 @@ zerombr
|
|
|
a297d8 |
clearpart --linux --initlabel
|
|
|
a297d8 |
|
|
|
a297d8 |
# Create primary system partitions (required for installs)
|
|
|
a297d8 |
-part /boot --fstype=xfs --size=512
|
|
|
a297d8 |
+part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
|
|
|
a297d8 |
part pv.01 --grow --size=1
|
|
|
a297d8 |
|
|
|
a297d8 |
# Create a Logical Volume Management (LVM) group (optional)
|
|
|
a297d8 |
|
|
|
a297d8 |
From 15be64cc2d6c21b0351bb8d3d1b55b1924be99ca Mon Sep 17 00:00:00 2001
|
|
|
a297d8 |
From: Milan Lysonek <mlysonek@redhat.com>
|
|
|
a297d8 |
Date: Tue, 9 Feb 2021 12:45:34 +0100
|
|
|
a297d8 |
Subject: [PATCH 2/5] Add mount_option_nodev_nonroot_local_partitions bash
|
|
|
a297d8 |
remediation
|
|
|
a297d8 |
|
|
|
a297d8 |
---
|
|
|
a297d8 |
.../bash/shared.sh | 18 ++++++++++++++++++
|
|
|
a297d8 |
1 file changed, 18 insertions(+)
|
|
|
a297d8 |
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
|
|
|
a297d8 |
|
|
|
a297d8 |
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
|
|
|
a297d8 |
new file mode 100644
|
|
|
a297d8 |
index 0000000000..7e2b3bd76b
|
|
|
a297d8 |
--- /dev/null
|
|
|
a297d8 |
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
|
|
|
a297d8 |
@@ -0,0 +1,18 @@
|
|
|
a297d8 |
+# platform = multi_platform_all
|
|
|
a297d8 |
+. /usr/share/scap-security-guide/remediation_functions
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+include_mount_options_functions
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+MOUNT_OPTION="nodev"
|
|
|
a297d8 |
+# Create array of local non-root partitions
|
|
|
a297d8 |
+readarray -t partitions_records < <(findmnt --mtab --raw --evaluate | grep "^/\w" | grep "\s/dev/\w")
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+for partition_record in "${partitions_records[@]}"; do
|
|
|
a297d8 |
+ # Get all important information for fstab
|
|
|
a297d8 |
+ mount_point="$(echo ${partition_record} | cut -d " " -f1)"
|
|
|
a297d8 |
+ device="$(echo ${partition_record} | cut -d " " -f2)"
|
|
|
a297d8 |
+ device_type="$(echo ${partition_record} | cut -d " " -f3)"
|
|
|
a297d8 |
+ # device and device_type will be used only in case when the device doesn't have fstab record
|
|
|
a297d8 |
+ ensure_mount_option_in_fstab "$mount_point" "$MOUNT_OPTION" "$device" "$device_type"
|
|
|
a297d8 |
+ ensure_partition_is_mounted "$mount_point"
|
|
|
a297d8 |
+done
|
|
|
a297d8 |
|
|
|
a297d8 |
From 36958b72896a69cb580f00a986673c8ae99cb011 Mon Sep 17 00:00:00 2001
|
|
|
a297d8 |
From: Milan Lysonek <mlysonek@redhat.com>
|
|
|
a297d8 |
Date: Tue, 9 Feb 2021 12:45:54 +0100
|
|
|
a297d8 |
Subject: [PATCH 3/5] Add mount_option_nodev_nonroot_local_partitions test
|
|
|
a297d8 |
scenarios
|
|
|
a297d8 |
|
|
|
a297d8 |
---
|
|
|
a297d8 |
.../tests/correct.pass.sh | 23 +++++++++++++++++
|
|
|
a297d8 |
.../local_mounted_during_runtime.fail.sh | 19 ++++++++++++++
|
|
|
a297d8 |
.../tests/missing_multiple_nodev.fail.sh | 23 +++++++++++++++++
|
|
|
a297d8 |
.../tests/missing_one_nodev.fail.sh | 23 +++++++++++++++++
|
|
|
a297d8 |
.../tests/remote_without_nodev.pass.sh | 25 +++++++++++++++++++
|
|
|
a297d8 |
5 files changed, 113 insertions(+)
|
|
|
a297d8 |
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
|
|
|
a297d8 |
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
|
|
|
a297d8 |
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
|
|
|
a297d8 |
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
|
|
|
a297d8 |
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
|
|
|
a297d8 |
|
|
|
a297d8 |
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
|
|
|
a297d8 |
new file mode 100644
|
|
|
a297d8 |
index 0000000000..8bfac4b80f
|
|
|
a297d8 |
--- /dev/null
|
|
|
a297d8 |
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
|
|
|
a297d8 |
@@ -0,0 +1,23 @@
|
|
|
a297d8 |
+#!/bin/bash
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+. $SHARED/partition.sh
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+# Add nodev option to all records in fstab to ensure that test will
|
|
|
a297d8 |
+# run on environment where everything is set correctly for rule check.
|
|
|
a297d8 |
+cp /etc/fstab /etc/fstab.backup
|
|
|
a297d8 |
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
|
|
a297d8 |
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
|
|
a297d8 |
+# Remount all partitions. (--all option can't be used because it doesn't
|
|
|
a297d8 |
+# mount e.g. /boot partition
|
|
|
a297d8 |
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
|
|
a297d8 |
+for partition in ${partitions[@]}; do
|
|
|
a297d8 |
+ mount -o remount "$partition"
|
|
|
a297d8 |
+done
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+PARTITION="/dev/new_partition1"; create_partition
|
|
|
a297d8 |
+make_fstab_given_partition_line "/tmp/partition1" ext2 nodev
|
|
|
a297d8 |
+mount_partition "/tmp/partition1"
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+PARTITION="/dev/new_partition2"; create_partition
|
|
|
a297d8 |
+make_fstab_given_partition_line "/tmp/partition2" ext2 nodev
|
|
|
a297d8 |
+mount_partition "/tmp/partition2"
|
|
|
a297d8 |
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
|
|
|
a297d8 |
new file mode 100644
|
|
|
a297d8 |
index 0000000000..84cadd6f73
|
|
|
a297d8 |
--- /dev/null
|
|
|
a297d8 |
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
|
|
|
a297d8 |
@@ -0,0 +1,19 @@
|
|
|
a297d8 |
+#!/bin/bash
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+. $SHARED/partition.sh
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+# Add nodev option to all records in fstab to ensure that test will
|
|
|
a297d8 |
+# run on environment where everything is set correctly for rule check.
|
|
|
a297d8 |
+cp /etc/fstab /etc/fstab.backup
|
|
|
a297d8 |
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
|
|
a297d8 |
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
|
|
a297d8 |
+# Remount all partitions. (--all option can't be used because it doesn't
|
|
|
a297d8 |
+# mount e.g. /boot partition
|
|
|
a297d8 |
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
|
|
a297d8 |
+for partition in ${partitions[@]}; do
|
|
|
a297d8 |
+ mount -o remount "$partition"
|
|
|
a297d8 |
+done
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+PARTITION="/dev/new_partition1"; create_partition
|
|
|
a297d8 |
+mkdir /tmp/test_dir
|
|
|
a297d8 |
+mount $PARTITION /tmp/test_dir
|
|
|
a297d8 |
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
|
|
|
a297d8 |
new file mode 100644
|
|
|
a297d8 |
index 0000000000..7a09093f46
|
|
|
a297d8 |
--- /dev/null
|
|
|
a297d8 |
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
|
|
|
a297d8 |
@@ -0,0 +1,23 @@
|
|
|
a297d8 |
+#!/bin/bash
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+. $SHARED/partition.sh
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+# Add nodev option to all records in fstab to ensure that test will
|
|
|
a297d8 |
+# run on environment where everything is set correctly for rule check.
|
|
|
a297d8 |
+cp /etc/fstab /etc/fstab.backup
|
|
|
a297d8 |
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
|
|
a297d8 |
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
|
|
a297d8 |
+# Remount all partitions. (--all option can't be used because it doesn't
|
|
|
a297d8 |
+# mount e.g. /boot partition
|
|
|
a297d8 |
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
|
|
a297d8 |
+for partition in ${partitions[@]}; do
|
|
|
a297d8 |
+ mount -o remount "$partition"
|
|
|
a297d8 |
+done
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+PARTITION="/dev/new_partition1"; create_partition
|
|
|
a297d8 |
+make_fstab_given_partition_line "/tmp/partition1" ext2
|
|
|
a297d8 |
+mount_partition "/tmp/partition1"
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+PARTITION="/dev/new_partition2"; create_partition
|
|
|
a297d8 |
+make_fstab_given_partition_line "/tmp/partition2" ext2
|
|
|
a297d8 |
+mount_partition "/tmp/partition2"
|
|
|
a297d8 |
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
|
|
|
a297d8 |
new file mode 100644
|
|
|
a297d8 |
index 0000000000..c20a98bdcc
|
|
|
a297d8 |
--- /dev/null
|
|
|
a297d8 |
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
|
|
|
a297d8 |
@@ -0,0 +1,23 @@
|
|
|
a297d8 |
+#!/bin/bash
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+. $SHARED/partition.sh
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+# Add nodev option to all records in fstab to ensure that test will
|
|
|
a297d8 |
+# run on environment where everything is set correctly for rule check.
|
|
|
a297d8 |
+cp /etc/fstab /etc/fstab.backup
|
|
|
a297d8 |
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
|
|
a297d8 |
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
|
|
a297d8 |
+# Remount all partitions. (--all option can't be used because it doesn't
|
|
|
a297d8 |
+# mount e.g. /boot partition
|
|
|
a297d8 |
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
|
|
a297d8 |
+for partition in ${partitions[@]}; do
|
|
|
a297d8 |
+ mount -o remount "$partition"
|
|
|
a297d8 |
+done
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+PARTITION="/dev/new_partition1"; create_partition
|
|
|
a297d8 |
+make_fstab_given_partition_line "/tmp/partition1" ext2 nodev
|
|
|
a297d8 |
+mount_partition "/tmp/partition1"
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+PARTITION="/dev/new_partition2"; create_partition
|
|
|
a297d8 |
+make_fstab_given_partition_line "/tmp/partition2" ext2
|
|
|
a297d8 |
+mount_partition "/tmp/partition2"
|
|
|
a297d8 |
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
|
|
|
a297d8 |
new file mode 100644
|
|
|
a297d8 |
index 0000000000..a95410526f
|
|
|
a297d8 |
--- /dev/null
|
|
|
a297d8 |
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
|
|
|
a297d8 |
@@ -0,0 +1,25 @@
|
|
|
a297d8 |
+#!/bin/bash
|
|
|
a297d8 |
+# packages = nfs-utils
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+. $SHARED/partition.sh
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+# Add nodev option to all records in fstab to ensure that test will
|
|
|
a297d8 |
+# run on environment where everything is set correctly for rule check.
|
|
|
a297d8 |
+cp /etc/fstab /etc/fstab.backup
|
|
|
a297d8 |
+sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
|
|
|
a297d8 |
+awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
|
|
|
a297d8 |
+# Remount all partitions. (--all option can't be used because it doesn't
|
|
|
a297d8 |
+# mount e.g. /boot partition
|
|
|
a297d8 |
+declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
|
|
|
a297d8 |
+for partition in ${partitions[@]}; do
|
|
|
a297d8 |
+ mount -o remount "$partition"
|
|
|
a297d8 |
+done
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+mkdir /tmp/testdir
|
|
|
a297d8 |
+mkdir /tmp/testmount
|
|
|
a297d8 |
+chown 2 /tmp/testdir
|
|
|
a297d8 |
+chmod 777 /tmp/testdir
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+echo '/tmp/testdir localhost(rw)' > /etc/exports
|
|
|
a297d8 |
+systemctl restart nfs-server
|
|
|
a297d8 |
+mount.nfs localhost:/tmp/testdir /tmp/testmount
|
|
|
a297d8 |
|
|
|
a297d8 |
From b7bec83d7a3ad186413777f70fe2b5d20e01e56b Mon Sep 17 00:00:00 2001
|
|
|
a297d8 |
From: Watson Sato <wsato@redhat.com>
|
|
|
a297d8 |
Date: Wed, 10 Feb 2021 18:32:26 +0100
|
|
|
a297d8 |
Subject: [PATCH 4/5] Add Ansible for
|
|
|
a297d8 |
mount_option_nodev_nonroot_local_partitions
|
|
|
a297d8 |
|
|
|
a297d8 |
The remediation metadata were inspired by the template mount_options
|
|
|
a297d8 |
---
|
|
|
a297d8 |
.../ansible/shared.yml | 18 ++++++++++++++++++
|
|
|
a297d8 |
1 file changed, 18 insertions(+)
|
|
|
a297d8 |
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
|
|
a297d8 |
|
|
|
a297d8 |
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
|
|
a297d8 |
new file mode 100644
|
|
|
a297d8 |
index 0000000000..8530604308
|
|
|
a297d8 |
--- /dev/null
|
|
|
a297d8 |
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
|
|
a297d8 |
@@ -0,0 +1,18 @@
|
|
|
a297d8 |
+# platform = multi_platform_all
|
|
|
a297d8 |
+# reboot = false
|
|
|
a297d8 |
+# strategy = configure
|
|
|
a297d8 |
+# complexity = low
|
|
|
a297d8 |
+# disruption = high
|
|
|
a297d8 |
+
|
|
|
a297d8 |
+- name: Ensure non-root local partitions are mounted with nodev option
|
|
|
a297d8 |
+ mount:
|
|
|
a297d8 |
+ path: "{{ item.mount }}"
|
|
|
a297d8 |
+ src: "{{ item.device}}"
|
|
|
a297d8 |
+ opts: "{{ item.options }},nodev"
|
|
|
a297d8 |
+ state: "mounted"
|
|
|
a297d8 |
+ fstype: "{{ item.fstype }}"
|
|
|
a297d8 |
+ when:
|
|
|
a297d8 |
+ - "item.mount is match('/\\w')"
|
|
|
a297d8 |
+ - "item.options is not search('nodev')"
|
|
|
a297d8 |
+ with_items:
|
|
|
a297d8 |
+ - "{{ ansible_facts.mounts }}"
|
|
|
a297d8 |
|
|
|
a297d8 |
From dab22894ca0798dde27c77704a7fd34d62d77f8f Mon Sep 17 00:00:00 2001
|
|
|
a297d8 |
From: Watson Sato <wsato@redhat.com>
|
|
|
a297d8 |
Date: Wed, 10 Feb 2021 20:29:32 +0100
|
|
|
a297d8 |
Subject: [PATCH 5/5] Add space before and after variable
|
|
|
a297d8 |
|
|
|
a297d8 |
---
|
|
|
a297d8 |
.../ansible/shared.yml | 2 +-
|
|
|
a297d8 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
a297d8 |
|
|
|
a297d8 |
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
|
|
a297d8 |
index 8530604308..2aa9a53e4d 100644
|
|
|
a297d8 |
--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
|
|
a297d8 |
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
|
|
|
a297d8 |
@@ -7,7 +7,7 @@
|
|
|
a297d8 |
- name: Ensure non-root local partitions are mounted with nodev option
|
|
|
a297d8 |
mount:
|
|
|
a297d8 |
path: "{{ item.mount }}"
|
|
|
a297d8 |
- src: "{{ item.device}}"
|
|
|
a297d8 |
+ src: "{{ item.device }}"
|
|
|
a297d8 |
opts: "{{ item.options }},nodev"
|
|
|
a297d8 |
state: "mounted"
|
|
|
a297d8 |
fstype: "{{ item.fstype }}"
|