Bug 1656887 - Security scanner detects for RHVM and RHVH "Partition Mounting Weakness (unix-partition-mounting-weakness)"
Summary: Security scanner detects for RHVM and RHVH "Partition Mounting Weakness (unix...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: redhat-virtualization-host
Version: 4.2.7
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ovirt-4.3.4
: 4.3.0
Assignee: Yuval Turgeman
QA Contact: Qin Yuan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-06 15:39 UTC by Sachin Raje
Modified: 2020-08-03 15:42 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-01 13:16:10 UTC
oVirt Team: Node
Target Upstream Version:
lsvaty: testing_plan_complete-


Attachments (Terms of Use)
mount option added when DISA STIG profile is selected (76.67 KB, image/png)
2019-03-04 10:02 UTC, Qin Yuan
no flags Details

Description Sachin Raje 2018-12-06 15:39:30 UTC
3.3.3. Partition Mounting Weakness (unix-partition-mounting-weakness)

Description:

One or more of the system's partitions are mounted without certain hardening options enabled. While this is not a definite vulnerability
on its own, system security may be improved by employing hardening techniques.

Vulnerability Solution:
The specific way to modify the partition mount options varies from system to system. Consult your operating system's manual or mount
man page.


This is detected for both RHVM and RHVH version 4.2

Comment 14 Sandro Bonazzola 2019-02-18 07:57:57 UTC
Moving to 4.3.2 not being identified as blocker for 4.3.1

Comment 15 Sandro Bonazzola 2019-02-26 09:25:53 UTC
This should be ok after applying DISA STIG profile to RHV-H.

Comment 16 Qin Yuan 2019-03-04 10:01:34 UTC
The DISA STIG profile only adds 'nosuid' option to /home, no other options for other partitions. So only applying DISA STIG profile while installing RHVH probably can't got this bug solved.

Comment 17 Qin Yuan 2019-03-04 10:02:58 UTC
Created attachment 1540576 [details]
mount option added when DISA STIG profile is selected

Comment 18 Sandro Bonazzola 2019-03-18 14:45:37 UTC
Re-targeting to 4.3.5 being more than STIG which we are currently targeting.

Comment 19 Sandro Bonazzola 2019-04-01 13:16:10 UTC
RHV-H has no multiple users and if you can access the host having already root user there's no non-root privileged users that can leverage those mount options weakness.
That said, we are now STIG compliant so the suggestion here is to deploy RHV-H with STIG profile.


Note You need to log in before you can comment on or make changes to this bug.