Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DLPX-86532 CIS: /tmp filesystem and mount options #753

Closed
wants to merge 1 commit into from
Closed

DLPX-86532 CIS: /tmp filesystem and mount options #753

wants to merge 1 commit into from

Conversation

abhi2196
Copy link

@abhi2196 abhi2196 commented Feb 6, 2024
edited
Loading

Problem 

(1.15) 7394 Status of the '/tmp partition' setting in the '/etc/fstab' file
The '/tmp' directory is often used as a temporary data directory with world-writable content. To mitigate the risk of DoS flood and privilege escalation attacks, the '/tmp' directory should be moved onto a separate partition to manage these risks and this setting should be configured according to the security policies and needs of the business.

Remediation: The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.

(1.16) 13243 Status of '/tmp' partition using mount command
Typically , the '/tmp' directory is used for storing temporary data with world-writable content. To mitigate the risk of DoS flood and privilege escalation attacks, it is recommended to have separate partition for '/tmp' directory. Thus, partition for '/tmp' directory should be defined in accordance to the business needs and organization's security policies.

The following List String value(s) X indicates the status of '/tmp' partition using mount command. The result consists of file system, partition, partition type and options set for the partition.

Remediation: The '/tmp' directory is used by daemons and other system services to store frequently-changing data. Ensure that '/tmp' has its own partition or logical volume at installation time, or migrate it using LVM

(1.18) 14599 Status of the 'nodev' option for '/tmp' partition using 'mount' command
The '/tmp' directory is often used as a temporary data directory with world-writable content and is not intended as a mount point for character or block devices. Allowing devices to be mounted on the '/tmp' partition, greatly increases the risks from unauthorized access, corruption or deletion of data by unauthorized/malicious users or programs. Therefore, the 'nodev' mount option for the '/tmp' partition should be configured according to the business needs and organization's security policies.

The following List String value(s) X indicates the status of '/tmp' partition using mount command. The result consists of file system, partition, partition type and options set for the partition.

Remediation: # Run the following command to add the nodev option and remount the partition. $sudo mount -o remount,nodev [partition]

Example:
$sudo mount -o remount,nodev /tmp

Note: Remounting partitions while system is running can cause instabilities.

(1.20) 14602 Status of the 'nosuid' option for '/tmp' partition using 'mount' command
The '/tmp' directory is often used as a temporary data directory with world-writable content. To prevent resource exhaustion or any malicious use of the shared space, use of appropriate security measures such as using 'nosuid' option while using separate partition for '/tmp' is recommended. Mounting file systems with 'nosuid' can prevent the introduction of rogue set-UID programs or file tampering (when a file system is mounted 'nosuid', then the set-UID bit on executables is ignored), and thus, should be set according to the business needs and organization's security policies.

Remediation: # Run the following command to add the nosuid option and remount the partition. $sudo mount -o remount,nosuid [partition]

Example:
$sudo mount -o remount,nosuid /tmp

Note: Remounting partitions while system is running can cause instabilities.

(1.22) 14603 Status of the 'noexec' option for '/tmp' partition using 'mount' command
The '/tmp' directory is often used as a temporary data directory with world-writable content. To prevent any malicious activity on the shared space, use of appropriate security measures such as using 'noexec' option while using separate partition for '/tmp' is recommended. Mounting file systems with 'noexec' prevents execution of any binaries on the partition and thus, should be set according to the business needs and organization's security policies.

Remediation: # Run the following command to add the noexec option and remount the partition. $sudo mount -o remount,noexec [partition]

Example:
$sudo mount -o remount,noexec /tmp

Note: Remounting partitions while system is running can cause instabilities.

Solution

  • Created a separate partition for the tmp and added an entry in /etc/fstab to add all the required mount options as suggested by the CIS report.

Testing Done

  1. Created a VM with these changes and checked that /tmp is mounted with expected options ✅
delphix@ip-10-110-201-149:~$ mount | grep tmp
...
rpool/ROOT/delphix.xI8HSDr/tmp on /tmp type zfs (rw,nosuid,nodev,noexec,relatime,xattr,noacl,casesensitive,x-systemd.before=zfs-import-cache.service)
...
  1. Validated noexec flag ✅
delphix@ip-10-110-201-149:~$ echo -e '#!/bin/bash\necho "Script executed"' > /tmp/test_script.sh
delphix@ip-10-110-201-149:~$ chmod +x /tmp/test_script.sh
delphix@ip-10-110-201-149:~$ /tmp/test_script.sh
bash: /tmp/test_script.sh: Permission denied
  1. Validated nodev flag ✅
delphix@ip-10-110-201-149:~$ sudo mknod /tmp/test_device c 1 5
delphix@ip-10-110-201-149:~$ cat /tmp/test_device
cat: /tmp/test_device: Permission denied
  1. Validated nosuid flag ✅
Create a c program `test_suid.c` with this content:

#include <stdio.h>
#include <unistd.h>

int main() {
    printf("UID: %d\n", getuid());
    return 0;
}

delphix@ip-10-110-201-149:~$ gcc test_suid.c -o test_suid
delphix@ip-10-110-201-149:~$ mv test_suid /tmp/
delphix@ip-10-110-201-149:~$ sudo chown root:root /tmp/test_suid
delphix@ip-10-110-201-149:~$ sudo chmod u+s /tmp/test_suid
delphix@ip-10-110-201-149:~$ /tmp/test_suid
bash: /tmp/test_suid: Permission denied
  1. Upgrade testing [24.0 -> 25.0] ❌
delphix@ip-10-110-244-60:/tmp$ mount | grep tmp
udev on /dev type devtmpfs (rw,nosuid,noexec,relatime,size=3726396k,nr_inodes=931599,mode=755,inode64)
tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=750260k,mode=755,inode64)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755,inode64)
rpool/upgrade-logs on /var/tmp/delphix-upgrade type zfs (rw,relatime,xattr,noacl,casesensitive)
tmpfs on /run/user/65433 type tmpfs (rw,nosuid,nodev,relatime,size=750256k,mode=700,uid=65433,gid=50,inode64)
  • We need to figure out on how to apply these changes post-upgrade.

@abhi2196 abhi2196 force-pushed the dlpx/pr/abhi2196/ab7eeba8-9658-4445-9827-25ae2218dcbe branch from 69373a8 to 3183090 Compare February 6, 2024 06:17
@abhi2196 abhi2196 self-assigned this Feb 6, 2024
@abhi2196 abhi2196 marked this pull request as ready for review February 9, 2024 10:37
@abhi2196 abhi2196 force-pushed the dlpx/pr/abhi2196/ab7eeba8-9658-4445-9827-25ae2218dcbe branch 2 times, most recently from dfb7dc1 to 54e4c73 Compare April 5, 2024 19:51
@abhi2196 abhi2196 force-pushed the dlpx/pr/abhi2196/ab7eeba8-9658-4445-9827-25ae2218dcbe branch from 54e4c73 to cb3e143 Compare May 6, 2024 11:04
@dbshah12
Copy link
Contributor

This change is a subpart of #774, So closing this as this is a duplicate of it.

@dbshah12 dbshah12 closed this Oct 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@abhi2196 abhi2196

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@abhi2196 @dbshah12