Merge 42504d6 into af943a8

.rubocop.yml

@@ -8,6 +8,7 @@ AllCops:
 Metrics/AbcSize:
   Max: 29
 Metrics/LineLength:
+  Max: 100
   Include:
     - spec/**/*.rb
 Metrics/MethodLength:

README.md

@@ -70,6 +70,8 @@ It will not:
   list of things, that a user is allowed to do. May contain: `change_user`
 * `['os-hardening']['security']['kernel']['enable_module_loading'] = true`
   true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`)
+* `['os-hardening']['security']['kernel']['disable_filesystems'] = ['cramfs', 'freevxfs', 'jffs2', 'hfs', 'hfsplus', 'squashfs', 'udf', 'vfat']`
+  list of kernel file system modules, which are blacklisted for loading (e.g. they are unused and can be disabled). Set this to `[]` to completely avoid this blacklisting
 * `['os-hardening']['security']['kernel']['enable_sysrq'] = false`
 * `['os-hardening']['security']['kernel']['enable_core_dump'] = false`
 * `['os-hardening']['security']['suid_sgid']['enforce'] = true`

attributes/default.rb

@@ -88,6 +88,7 @@
 # may contain: change_user
 default['os-hardening']['security']['users']['allow']                  = []
 default['os-hardening']['security']['kernel']['enable_module_loading'] = true
+default['os-hardening']['security']['kernel']['disable_filesystems']   = %w[cramfs freevxfs jffs2 hfs hfsplus squashfs udf vfat]
 default['os-hardening']['security']['kernel']['enable_sysrq']          = false
 default['os-hardening']['security']['kernel']['enable_core_dump']      = false
 default['os-hardening']['security']['suid_sgid']['enforce']            = true

recipes/sysctl.rb

@@ -170,3 +170,18 @@
     end
   end
 end
+
+# CIS requirement: disable unused filesystems
+if node['os-hardening']['security']['kernel']['disable_filesystems'].empty?
+  file '/etc/modprobe.d/dev-sec.conf' do
+    action :delete
+  end
+else
+  template '/etc/modprobe.d/dev-sec.conf' do
+    source 'filesystem_blacklisting.erb'
+    mode 0440
+    owner 'root'
+    group 'root'
+    variables filesystems: node['os-hardening']['security']['kernel']['disable_filesystems']
+  end
+end

spec/recipes/sysctl_spec.rb

@@ -365,4 +365,47 @@
       end
     end
   end
+
+  describe 'filesystems' do
+    let(:disable_filesystems) { nil }
+    let(:chef_run) do
+      ChefSpec::SoloRunner.new do |node|
+        if disable_filesystems
+          node.normal['os-hardening']['security']['kernel']['disable_filesystems'] =
+            disable_filesystems
+        end
+      end.converge(described_recipe)
+    end
+
+    describe 'when unused filesystems are disabled with default values' do
+      it 'should render the proper modprobe file' do
+        %w[cramfs freevxfs jffs2 hfs hfsplus squashfs udf vfat].each do |fs|
+          expect(chef_run).to render_file('/etc/modprobe.d/dev-sec.conf').
+            with_content("install #{fs} /bin/true")
+        end
+      end
+    end
+
+    describe 'when only some filesystems are disabled' do
+      let(:disable_filesystems) { %w[vfat udf] }
+
+      it 'should render the proper modprobe file' do
+        %w[udf vfat].each do |fs|
+          expect(chef_run).to render_file('/etc/modprobe.d/dev-sec.conf').
+            with_content("install #{fs} /bin/true")
+        end
+
+        expect(chef_run).not_to render_file('/etc/modprobe.d/dev-sec.conf').
+          with_content('install cramfs /bin/true')
+      end
+    end
+
+    describe 'when unused filesystems are not disabled' do
+      let(:disable_filesystems) { %w[] }
+
+      it 'should delete the modprobe file' do
+        expect(chef_run).to delete_file('/etc/modprobe.d/dev-sec.conf')
+      end
+    end
+  end
 end

templates/default/filesystem_blacklisting.erb

@@ -0,0 +1,9 @@
+<% node['config_disclaimer'].to_s.split("\n").each do |l| %>
+# <%= l %>
+<% end %>
+#
+#--
+
+<% @filesystems.each do |fs| %>
+install <%= fs %> /bin/true
+<% end %>