Bug 2032403
Summary: | openscap cis_server_level1 benchmark list mount option requirement for /var/tmp but does not require separate /var/tmp | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Ameya Patil <amepatil> | |
Component: | scap-security-guide | Assignee: | Matěj Týč <matyc> | |
Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> | |
Severity: | medium | Docs Contact: | Jan Fiala <jafiala> | |
Priority: | unspecified | |||
Version: | 8.5 | CC: | ggasparb, jafiala, matyc, mhaicman, mjahoda, mlysonek, vpolasek, wsato | |
Target Milestone: | rc | Keywords: | AutoVerified, Triaged, ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | All | |||
Whiteboard: | ||||
Fixed In Version: | scap-security-guide-0.1.63-3.el8 | Doc Type: | Enhancement | |
Doc Text: |
.SSG rules for mount options no longer fail incorrectly if the `/tmp` and `/var/tmp` partitions do not exist
Previously, the SCAP Security Guide (SSG) rules for mount options of `/tmp` and `/var/tmp` partitions were incorrectly reporting the `fail` result if such partitions did not exist on the system.
This enhancement makes those rules not applicable instead of failing. Now, the rules fail only when the partition exists and the system does not have correct mount options.
If these mount options are essential for a particular policy, a rule that prescribes the existence of such partitions should be present in the profile, and that one rule should fail.
|
Story Points: | --- | |
Clone Of: | ||||
: | 2117510 2117511 (view as bug list) | Environment: | ||
Last Closed: | 2022-11-08 09:39:56 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2117510, 2117511 |
Description
Ameya Patil
2021-12-14 12:41:17 UTC
Hello Ameya, the rule should stay in the profile, the CIS benchmark says so. Although the requirement for /var/tmp partition is in Level 2 profile, possible mount options are already in Level 1 profile. But the rule should be smart and check if the partition actually exists. If it does not, it will show as "not applicable". This is not happening now and I think we can implement that. Is this acceptable for the customer? Here is excerpt from the CIS RHEL7 benchmark: ### 1.1.12 Ensure /var/tmp partition includes the noexec option (Automated) Profile Applicability: Level 1 - Server Level 1 - Workstation Description: The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp. Audit: If a /var/tmp partition exists, run the following command to verify that the noexec option is set: # findmnt -n /var/tmp | grep -Ev '\bnoexec\b' Nothing should be returned Remediation: For existing /var/tmp partitions, edit the /etc/fstab file and add noexec to the fourth field (mounting options) of the /var/tmp entry. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,noexec /var/tmp ### There are now more PRs that address this BZ: https://github.com/ComplianceAsCode/content/pull/9204 https://github.com/ComplianceAsCode/content/pull/9324 This PR was also required https://github.com/ComplianceAsCode/content/pull/9339 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:7563 |