Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix for jammy cis 1.1.7.3 #334

Merged
merged 1 commit into from
Sep 9, 2024
Merged

fix for jammy cis 1.1.7.3 #334

merged 1 commit into from
Sep 9, 2024

Conversation

xtreme-nitin-ravindran
Copy link
Member

cis wants nosuid on /home mount

1.1.7.3 Ensure nosuid option set on /home partition

@xtreme-nitin-ravindran
fix for jammy cis 1.1.7.3
c98af33 
cis wants nosuid on /home mount

`1.1.7.3 Ensure nosuid option set on /home partition`
@xtreme-nitin-ravindran xtreme-nitin-ravindran requested a review from a team September 9, 2024 09:16
@rkoster rkoster requested review from a team, ystros and lnguyen and removed request for a team September 9, 2024 09:17
@rkoster
Copy link
Contributor

rkoster commented Sep 9, 2024

@xtreme-nitin-ravindran could you provide a link to the relevant CIS documentation?

@xtreme-nitin-ravindran
Copy link
Member Author

1.1.7.3 Ensure nosuid option set on /home partition (Automated)

Profile Applicability:

  • Level 1 - Server
  • Level 1 - Workstation

Description:

The nosuid mount option specifies that the filesystem cannot contain setuid files.
Rationale:
Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home.

Audit:

Verify that the nosuid option is set for the /home mount. Run the following command to verify that the nosuid mount option is set. Example:

# findmnt --kernel /home 
/home /dev/sdb ext4 rw,nosuid,nodev,relatime,seclabel

IF output is produced, ensure it includes the nosuid option

Remediation:

IF the /home partition exists, edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /home partition. Example:

<device> /home <fstype> defaults,rw,nosuid,nodev,relatime 0 0

Run the following command to remount /home with the configured options:

# mount -o remount /home

https://www.cisecurity.org/benchmark/ubuntu_linux

@rkoster rkoster merged commit bd8cbb0 into main Sep 9, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aramprice aramprice aramprice approved these changes

@jpalermo jpalermo jpalermo approved these changes

@rkoster rkoster rkoster approved these changes

@ystros ystros Awaiting requested review from ystros ystros was automatically assigned from cloudfoundry/wg-foundational-infrastructure-vm-deployment-lifecycle-bosh-approvers

@lnguyen lnguyen Awaiting requested review from lnguyen lnguyen was automatically assigned from cloudfoundry/wg-foundational-infrastructure-vm-deployment-lifecycle-bosh-approvers

Assignees
No one assigned
Labels
None yet
Projects
Foundational Infrastructure Working Group
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@xtreme-nitin-ravindran @rkoster @aramprice @jpalermo