delphix / appliance-build

This repository contains the code used to build the Ubuntu-based Delphix Appliance, leveraging open-source tools such as Debian's live-build, Docker, Ansible, OpenZFS, and others.
Apache License 2.0
19 stars 41 forks source link

DLPX-86532 CIS: /tmp filesystem and mount options #753

Closed abhi2196 closed 2 weeks ago

abhi2196 commented 8 months ago

Problem

``` (1.15) 7394 Status of the '/tmp partition' setting in the '/etc/fstab' file The '/tmp' directory is often used as a temporary data directory with world-writable content. To mitigate the risk of DoS flood and privilege escalation attacks, the '/tmp' directory should be moved onto a separate partition to manage these risks and this setting should be configured according to the security policies and needs of the business. Remediation: The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. (1.16) 13243 Status of '/tmp' partition using mount command Typically , the '/tmp' directory is used for storing temporary data with world-writable content. To mitigate the risk of DoS flood and privilege escalation attacks, it is recommended to have separate partition for '/tmp' directory. Thus, partition for '/tmp' directory should be defined in accordance to the business needs and organization's security policies. The following List String value(s) X indicates the status of '/tmp' partition using mount command. The result consists of file system, partition, partition type and options set for the partition. Remediation: The '/tmp' directory is used by daemons and other system services to store frequently-changing data. Ensure that '/tmp' has its own partition or logical volume at installation time, or migrate it using LVM (1.18) 14599 Status of the 'nodev' option for '/tmp' partition using 'mount' command The '/tmp' directory is often used as a temporary data directory with world-writable content and is not intended as a mount point for character or block devices. Allowing devices to be mounted on the '/tmp' partition, greatly increases the risks from unauthorized access, corruption or deletion of data by unauthorized/malicious users or programs. Therefore, the 'nodev' mount option for the '/tmp' partition should be configured according to the business needs and organization's security policies. The following List String value(s) X indicates the status of '/tmp' partition using mount command. The result consists of file system, partition, partition type and options set for the partition. Remediation: # Run the following command to add the nodev option and remount the partition. $sudo mount -o remount,nodev [partition] Example: $sudo mount -o remount,nodev /tmp Note: Remounting partitions while system is running can cause instabilities. (1.20) 14602 Status of the 'nosuid' option for '/tmp' partition using 'mount' command The '/tmp' directory is often used as a temporary data directory with world-writable content. To prevent resource exhaustion or any malicious use of the shared space, use of appropriate security measures such as using 'nosuid' option while using separate partition for '/tmp' is recommended. Mounting file systems with 'nosuid' can prevent the introduction of rogue set-UID programs or file tampering (when a file system is mounted 'nosuid', then the set-UID bit on executables is ignored), and thus, should be set according to the business needs and organization's security policies. Remediation: # Run the following command to add the nosuid option and remount the partition. $sudo mount -o remount,nosuid [partition] Example: $sudo mount -o remount,nosuid /tmp Note: Remounting partitions while system is running can cause instabilities. (1.22) 14603 Status of the 'noexec' option for '/tmp' partition using 'mount' command The '/tmp' directory is often used as a temporary data directory with world-writable content. To prevent any malicious activity on the shared space, use of appropriate security measures such as using 'noexec' option while using separate partition for '/tmp' is recommended. Mounting file systems with 'noexec' prevents execution of any binaries on the partition and thus, should be set according to the business needs and organization's security policies. Remediation: # Run the following command to add the noexec option and remount the partition. $sudo mount -o remount,noexec [partition] Example: $sudo mount -o remount,noexec /tmp Note: Remounting partitions while system is running can cause instabilities. ```

Solution

- Created a separate partition for the `tmp` and added an entry in `/etc/fstab` to add all the required mount options as suggested by the CIS report.

Testing Done

- `ab-pre-push`: http://selfservice.jenkins.delphix.com/job/github/job/delphix/job/appliance-build/job/appliance-build-orchestrator/job/pre-push/343/console - Failed due to [TOOL-25273](https://delphix.atlassian.net/browse/TOOL-25273) - `ab-pre-push` `3rd July 24`: http://selfservice.jenkins.delphix.com/job/appliance-build-orchestrator-pre-push/8840/ ✅ - `Manual Testing`: 1. Created a VM with these changes and checked that `/tmp` is mounted with expected options ✅ ``` delphix@ip-10-110-201-149:~$ mount | grep tmp ... rpool/ROOT/delphix.xI8HSDr/tmp on /tmp type zfs (rw,nosuid,nodev,noexec,relatime,xattr,noacl,casesensitive,x-systemd.before=zfs-import-cache.service) ... ``` 2. Validated `noexec` flag ✅ ``` delphix@ip-10-110-201-149:~$ echo -e '#!/bin/bash\necho "Script executed"' > /tmp/test_script.sh delphix@ip-10-110-201-149:~$ chmod +x /tmp/test_script.sh delphix@ip-10-110-201-149:~$ /tmp/test_script.sh bash: /tmp/test_script.sh: Permission denied ``` 3. Validated `nodev` flag ✅ ``` delphix@ip-10-110-201-149:~$ sudo mknod /tmp/test_device c 1 5 delphix@ip-10-110-201-149:~$ cat /tmp/test_device cat: /tmp/test_device: Permission denied ``` 4. Validated `nosuid` flag ✅ ``` Create a c program `test_suid.c` with this content: #include #include int main() { printf("UID: %d\n", getuid()); return 0; } delphix@ip-10-110-201-149:~$ gcc test_suid.c -o test_suid delphix@ip-10-110-201-149:~$ mv test_suid /tmp/ delphix@ip-10-110-201-149:~$ sudo chown root:root /tmp/test_suid delphix@ip-10-110-201-149:~$ sudo chmod u+s /tmp/test_suid delphix@ip-10-110-201-149:~$ /tmp/test_suid bash: /tmp/test_suid: Permission denied ``` 5. Upgrade testing [`24.0` -> `25.0`] ❌ - Upgrade Job: http://selfservice.jenkins.delphix.com/job/blackbox-self-service/140021/testReport/ ✅ - After the upgrade the `/tmp` is not mounted using the expected options as the changes are not applied. ``` delphix@ip-10-110-244-60:/tmp$ mount | grep tmp udev on /dev type devtmpfs (rw,nosuid,noexec,relatime,size=3726396k,nr_inodes=931599,mode=755,inode64) tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=750260k,mode=755,inode64) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64) tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k,inode64) tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755,inode64) rpool/upgrade-logs on /var/tmp/delphix-upgrade type zfs (rw,relatime,xattr,noacl,casesensitive) tmpfs on /run/user/65433 type tmpfs (rw,nosuid,nodev,relatime,size=750256k,mode=700,uid=65433,gid=50,inode64) ``` - We need to figure out on how to apply these changes post-upgrade.
dbshah12 commented 2 weeks ago

This change is a subpart of https://github.com/delphix/appliance-build/pull/774, So closing this as this is a duplicate of it.