diff --git a/debian8/templates/csv/mount_options.csv b/debian8/templates/csv/mount_options.csv
index 6e00a922cc..c85df506af 100644
--- a/debian8/templates/csv/mount_options.csv
+++ b/debian8/templates/csv/mount_options.csv
@@ -19,4 +19,3 @@
/tmp,nodev
/tmp,nosuid
/usr,nodev
-/var/tmp,bind
diff --git a/fedora/templates/csv/mount_options.csv b/fedora/templates/csv/mount_options.csv
index 6bbdea38f9..9f4361a7f4 100644
--- a/fedora/templates/csv/mount_options.csv
+++ b/fedora/templates/csv/mount_options.csv
@@ -12,5 +12,4 @@
/tmp,nodev
/tmp,noexec
/tmp,nosuid
-/var/tmp,bind
diff --git a/shared/fixes/bash/mount_option_var_tmp_bind.sh
new file mode 100644
index 0000000000..1466eff5f5
--- /dev/null
+++ b/shared/fixes/bash/mount_option_var_tmp_bind.sh
@@ -0,0 +1,17 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+
+. /usr/share/scap-security-guide/remediation_functions
+
+# Delete particular /etc/fstab's row if /var/tmp is already configured to
+# represent a mount point (for some device or filesystem other than /tmp)
+if grep -q -P '.*\/var\/tmp.*' /etc/fstab
+then
+ sed -i '/.*\/var\/tmp.*/d' /etc/fstab
+fi
+umount /var/tmp
+
+# Bind-mount /var/tmp to /tmp via /etc/fstab (preserving the /etc/fstab form)
+printf "%-24s%-24s%-8s%-32s%-3s\n" "/tmp" "/var/tmp" "none" "rw,nodev,noexec,nosuid,bind" "0 0" >> /etc/fstab
+
+mkdir -p /var/tmp
+mount -B /tmp /var/tmp
diff --git a/shared/checks/oval/mount_option_var_tmp_bind.xml
new file mode 100644
index 0000000000..7280364cfa
--- /dev/null
+++ b/shared/checks/oval/mount_option_var_tmp_bind.xml
@@ -0,0 +1,85 @@
+
+
+
+ Bind Mount /var/tmp To /tmp
+
+ multi_platform_all
+
+ The /var/tmp directory should be bind mounted to /tmp in
+ order to consolidate temporary storage into one location protected by the
+ same techniques as /tmp.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ /etc/fstab
+ ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$
+ 1
+
+
+
+
+
+
+ /var/tmp
+
+
+
+
+
+
+
+
+ /etc/mtab
+ ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$
+ 1
+
+
+
+
+
+
+
+
+
+ /tmp
+
+
+
+
+
+
+
+
+
+
diff --git a/ol7/templates/csv/mount_options.csv b/ol7/templates/csv/mount_options.csv
index 2f0aa49f0d..122198b57a 100644
--- a/ol7/templates/csv/mount_options.csv
+++ b/ol7/templates/csv/mount_options.csv
@@ -1,3 +1,2 @@
/dev/shm,nodev
/dev/shm,nosuid
-/var/tmp,bind
diff --git a/opensuse/templates/csv/mount_options.csv b/opensuse/templates/csv/mount_options.csv
deleted file mode 100644
index e024d02571..0000000000
--- a/opensuse/templates/csv/mount_options.csv
+++ /dev/null
@@ -1,9 +0,0 @@
-# format:
-# ,[,create_fstab_entry_if_needed]
-# - mount point mounted with specified option. for more than
-# one option, use multiple lines with the same , use the
-# variable name (i.e. name beginning with var_, without the leading
-# '$' to reference a variable, e.g. var_removable_partition,nodev)
-# If the remediation can create (i.e. not just modify) an /etc/fstab line,
-# add the 'create_fstab_entry_if_needed' literal string as the third argument.
-/var/tmp,bind
diff --git a/rhel-osp7/templates/csv/mount_options.csv b/rhel-osp7/templates/csv/mount_options.csv
deleted file mode 100644
index e024d02571..0000000000
--- a/rhel-osp7/templates/csv/mount_options.csv
+++ /dev/null
@@ -1,9 +0,0 @@
-# format:
-# ,[,create_fstab_entry_if_needed]
-# - mount point mounted with specified option. for more than
-# one option, use multiple lines with the same , use the
-# variable name (i.e. name beginning with var_, without the leading
-# '$' to reference a variable, e.g. var_removable_partition,nodev)
-# If the remediation can create (i.e. not just modify) an /etc/fstab line,
-# add the 'create_fstab_entry_if_needed' literal string as the third argument.
-/var/tmp,bind
diff --git a/rhel6/templates/csv/mount_options.csv b/rhel6/templates/csv/mount_options.csv
index ebf6bba9df..de0056e08c 100644
--- a/rhel6/templates/csv/mount_options.csv
+++ b/rhel6/templates/csv/mount_options.csv
@@ -12,4 +12,3 @@
/tmp,nodev
/tmp,noexec
/tmp,nosuid
-/var/tmp,bind
diff --git a/rhel7/templates/csv/mount_options.csv b/rhel7/templates/csv/mount_options.csv
index f5d9ed8cea..f9a3bc73dd 100644
--- a/rhel7/templates/csv/mount_options.csv
+++ b/rhel7/templates/csv/mount_options.csv
@@ -19,4 +19,3 @@
/var/tmp,nodev
/var/tmp,noexec
/var/tmp,nosuid
-/var/tmp,bind
diff --git a/sle11/templates/csv/mount_options.csv b/sle11/templates/csv/mount_options.csv
deleted file mode 100644
index e024d02571..0000000000
--- a/sle11/templates/csv/mount_options.csv
+++ /dev/null
@@ -1,9 +0,0 @@
-# format:
-# ,[,create_fstab_entry_if_needed]
-# - mount point mounted with specified option. for more than
-# one option, use multiple lines with the same , use the
-# variable name (i.e. name beginning with var_, without the leading
-# '$' to reference a variable, e.g. var_removable_partition,nodev)
-# If the remediation can create (i.e. not just modify) an /etc/fstab line,
-# add the 'create_fstab_entry_if_needed' literal string as the third argument.
-/var/tmp,bind
diff --git a/sle12/templates/csv/mount_options.csv b/sle12/templates/csv/mount_options.csv
index 759e51b0fe..b2df6c9f08 100644
--- a/sle12/templates/csv/mount_options.csv
+++ b/sle12/templates/csv/mount_options.csv
@@ -17,4 +17,3 @@
/var/tmp,nodev
/var/tmp,noexec
/var/tmp,nosuid
-/var/tmp,bind
diff --git a/tests/data/group_system/group_permissions/group_partitions/partition.sh b/tests/data/group_system/group_permissions/group_partitions/partition.sh
index 333a574f5e..f74a98b5b3 100644
--- a/tests/data/group_system/group_permissions/group_partitions/partition.sh
+++ b/tests/data/group_system/group_permissions/group_partitions/partition.sh
@@ -8,16 +8,21 @@ create_partition() {
}
# $1: The mount point
-# $2: The additional mount options
+# $2: The type of file system
+# $3: The additional mount options
make_fstab_given_partition_line() {
- local _mount_point="$1" _additional_mount_options="$2"
+ local _mount_point="$1" _type="$2" _additional_mount_options="$3"
test -z "$_additional_mount_options" || _additional_mount_options=",$_additional_mount_options"
- printf "%s %s ext2 rw%s 0 0\n" "$PARTITION" "$_mount_point" "$_additional_mount_options" > /etc/fstab
+ printf "%s %s %s rw%s 0 0\n" "$PARTITION" "$_mount_point" "$_type" "$_additional_mount_options" >> /etc/fstab
}
# $1: The mount point
make_fstab_correct_partition_line() {
- make_fstab_given_partition_line "$1" "nodev,noexec,nosuid"
+ make_fstab_given_partition_line "$1" "ext2" "nodev,noexec,nosuid"
+}
+
+make_fstab_bind_partition_line() {
+ make_fstab_given_partition_line "$1" "none" "nodev,noexec,nosuid,bind"
}
# $1: The mount point
@@ -28,5 +33,13 @@ mount_partition() {
mount_bind_partition() {
mkdir -p "$1"
- mount --target -B "$1"
+ mount -B "$PARTITION" "$1"
+}
+
+# $1: The path to umount and remove from /etc/fstab
+clean_up_partition() {
+ path="$1"
+ escaped_path=${path//$'/'/$'\/'}
+ sed -i "/${escaped_path}/d" /etc/fstab
+ umount ${path} || true # no problem if not mounted
}
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/fstab.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/fstab.fail.sh
index 498f44911f..0cc19818d9 100644
--- a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/fstab.fail.sh
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/fstab.fail.sh
@@ -7,6 +7,6 @@ umount /home || true # no problem if not mounted
create_partition
-make_fstab_given_partition_line /home nodev
+make_fstab_given_partition_line /home ext2 nodev
mount_partition /home
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh
index 3128ad2aee..62d36b718a 100644
--- a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh
@@ -5,6 +5,6 @@
create_partition
-make_fstab_given_partition_line /tmp nodev
+make_fstab_given_partition_line /tmp ext2 nodev
mount_partition /tmp
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/configured_and_mounted.pass.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/configured_and_mounted.pass.sh
new file mode 100644
index 0000000000..ad3c5d4f50
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/configured_and_mounted.pass.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S
+
+. ../partition.sh
+
+# Make sure scenario preparation starts from a clean state
+clean_up_partition /var/tmp
+
+# Redefine PARTITION variable defined in partition.sh
+PARTITION="/tmp"
+make_fstab_bind_partition_line /var/tmp
+
+mount_bind_partition /var/tmp
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/just_configured.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/just_configured.fail.sh
new file mode 100644
index 0000000000..87e7fc9726
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/just_configured.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S
+
+. ../partition.sh
+
+# Make sure scenario preparation starts from a clean state
+clean_up_partition /var/tmp
+
+# Redefine PARTITION variable defined in partition.sh
+PARTITION="/tmp"
+make_fstab_bind_partition_line /var/tmp
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/just_mounted.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/just_mounted.fail.sh
new file mode 100644
index 0000000000..d1bcb5a220
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/just_mounted.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S
+
+. ../partition.sh
+
+# Make sure scenario preparation starts from a clean state
+clean_up_partition /var/tmp
+
+# just mount the partition
+mount -B /tmp /var/tmp
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/separated_and_mounted.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/separated_and_mounted.fail.sh
new file mode 100644
index 0000000000..e315c54293
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/separated_and_mounted.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S
+
+. ../partition.sh
+
+# Make sure scenario preparation starts from a clean state
+clean_up_partition /var/tmp
+
+# by default /tmp is already configured and mounted
+
+# Redefine PARTITION
+mkdir -p "$PARTITION"
+make_fstab_bind_partition_line /var/tmp
+mount_bind_partition /var/tmp
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/wrong_bind.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/wrong_bind.fail.sh
new file mode 100644
index 0000000000..6ec7d6cdea
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/wrong_bind.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S
+
+. ../partition.sh
+
+# Make sure scenario preparation starts from a clean state
+clean_up_partition /var/tmp
+
+# PARTITION is defined in partition.sh
+mkdir -p "$PARTITION"
+make_fstab_bind_partition_line /var/tmp
+
+mount_bind_partition /var/tmp
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/fstab.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/fstab.fail.sh
index 37bc6e9881..431636bd13 100644
--- a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/fstab.fail.sh
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/fstab.fail.sh
@@ -5,6 +5,6 @@
create_partition
-make_fstab_given_partition_line /var/tmp nodev
+make_fstab_given_partition_line /var/tmp ext2 nodev
mount_partition /var/tmp
diff --git a/ubuntu1404/templates/csv/mount_options.csv b/ubuntu1404/templates/csv/mount_options.csv
index 6e00a922cc..c85df506af 100644
--- a/ubuntu1404/templates/csv/mount_options.csv
+++ b/ubuntu1404/templates/csv/mount_options.csv
@@ -19,4 +19,3 @@
/tmp,nodev
/tmp,nosuid
/usr,nodev
-/var/tmp,bind
diff --git a/ubuntu1604/templates/csv/mount_options.csv b/ubuntu1604/templates/csv/mount_options.csv
index 6e00a922cc..c85df506af 100644
--- a/ubuntu1604/templates/csv/mount_options.csv
+++ b/ubuntu1604/templates/csv/mount_options.csv
@@ -19,4 +19,3 @@
/tmp,nodev
/tmp,nosuid
/usr,nodev
-/var/tmp,bind
diff --git a/wrlinux/templates/csv/mount_options.csv b/wrlinux/templates/csv/mount_options.csv
index 6bbdea38f9..9f4361a7f4 100644
--- a/wrlinux/templates/csv/mount_options.csv
+++ b/wrlinux/templates/csv/mount_options.csv
@@ -12,5 +12,4 @@
/tmp,nodev
/tmp,noexec
/tmp,nosuid
-/var/tmp,bind