1656887 – Security scanner detects for RHVM and RHVH "Partition Mounting Weakness (unix-partition-mounting-weakness)"

Bug 1656887 - Security scanner detects for RHVM and RHVH "Partition Mounting Weakness (unix-partition-mounting-weakness)"

Summary: Security scanner detects for RHVM and RHVH "Partition Mounting Weakness (unix...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	redhat-virtualization-host
Sub Component:
Version:	4.2.7
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Yuval Turgeman
QA Contact:	Qin Yuan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-12-06 15:39 UTC by Sachin Raje
Modified:	2022-03-22 13:06 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-04-01 13:16:10 UTC
oVirt Team:	Node
Target Upstream Version:
Embargoed:
Flags:	lsvaty: testing_plan_complete-

Attachments	(Terms of Use)
mount option added when DISA STIG profile is selected (76.67 KB, image/png) 2019-03-04 10:02 UTC, Qin Yuan	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHV-45381	0	None	None	None	2022-03-22 13:06:26 UTC

Description Sachin Raje 2018-12-06 15:39:30 UTC

3.3.3. Partition Mounting Weakness (unix-partition-mounting-weakness)

Description:

One or more of the system's partitions are mounted without certain hardening options enabled. While this is not a definite vulnerability
on its own, system security may be improved by employing hardening techniques.

Vulnerability Solution:
The specific way to modify the partition mount options varies from system to system. Consult your operating system's manual or mount
man page.


This is detected for both RHVM and RHVH version 4.2

Comment 14 Sandro Bonazzola 2019-02-18 07:57:57 UTC

Moving to 4.3.2 not being identified as blocker for 4.3.1

Comment 15 Sandro Bonazzola 2019-02-26 09:25:53 UTC

This should be ok after applying DISA STIG profile to RHV-H.

Comment 16 Qin Yuan 2019-03-04 10:01:34 UTC

The DISA STIG profile only adds 'nosuid' option to /home, no other options for other partitions. So only applying DISA STIG profile while installing RHVH probably can't got this bug solved.

Comment 17 Qin Yuan 2019-03-04 10:02:58 UTC

Created attachment 1540576 [details]
mount option added when DISA STIG profile is selected

Comment 18 Sandro Bonazzola 2019-03-18 14:45:37 UTC

Re-targeting to 4.3.5 being more than STIG which we are currently targeting.

Comment 19 Sandro Bonazzola 2019-04-01 13:16:10 UTC

RHV-H has no multiple users and if you can access the host having already root user there's no non-root privileged users that can leverage those mount options weakness.
That said, we are now STIG compliant so the suggestion here is to deploy RHV-H with STIG profile.

Note You need to log in before you can comment on or make changes to this bug.