This repository contains the code used to build the Ubuntu-based Delphix Appliance, leveraging open-source tools such as Debian's live-build, Docker, Ansible, OpenZFS, and others.
Apache License 2.0
19
stars
41
forks
source link
DLPX-86532 CIS: /tmp filesystem and mount options #753
```
(1.15) 7394 Status of the '/tmp partition' setting in the '/etc/fstab' file
The '/tmp' directory is often used as a temporary data directory with world-writable content. To mitigate the risk of DoS flood and privilege escalation attacks, the '/tmp' directory should be moved onto a separate partition to manage these risks and this setting should be configured according to the security policies and needs of the business.
Remediation: The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
(1.16) 13243 Status of '/tmp' partition using mount command
Typically , the '/tmp' directory is used for storing temporary data with world-writable content. To mitigate the risk of DoS flood and privilege escalation attacks, it is recommended to have separate partition for '/tmp' directory. Thus, partition for '/tmp' directory should be defined in accordance to the business needs and organization's security policies.
The following List String value(s) X indicates the status of '/tmp' partition using mount command. The result consists of file system, partition, partition type and options set for the partition.
Remediation: The '/tmp' directory is used by daemons and other system services to store frequently-changing data. Ensure that '/tmp' has its own partition or logical volume at installation time, or migrate it using LVM
(1.18) 14599 Status of the 'nodev' option for '/tmp' partition using 'mount' command
The '/tmp' directory is often used as a temporary data directory with world-writable content and is not intended as a mount point for character or block devices. Allowing devices to be mounted on the '/tmp' partition, greatly increases the risks from unauthorized access, corruption or deletion of data by unauthorized/malicious users or programs. Therefore, the 'nodev' mount option for the '/tmp' partition should be configured according to the business needs and organization's security policies.
The following List String value(s) X indicates the status of '/tmp' partition using mount command. The result consists of file system, partition, partition type and options set for the partition.
Remediation: # Run the following command to add the nodev option and remount the partition. $sudo mount -o remount,nodev [partition]
Example:
$sudo mount -o remount,nodev /tmp
Note: Remounting partitions while system is running can cause instabilities.
(1.20) 14602 Status of the 'nosuid' option for '/tmp' partition using 'mount' command
The '/tmp' directory is often used as a temporary data directory with world-writable content. To prevent resource exhaustion or any malicious use of the shared space, use of appropriate security measures such as using 'nosuid' option while using separate partition for '/tmp' is recommended. Mounting file systems with 'nosuid' can prevent the introduction of rogue set-UID programs or file tampering (when a file system is mounted 'nosuid', then the set-UID bit on executables is ignored), and thus, should be set according to the business needs and organization's security policies.
Remediation: # Run the following command to add the nosuid option and remount the partition. $sudo mount -o remount,nosuid [partition]
Example:
$sudo mount -o remount,nosuid /tmp
Note: Remounting partitions while system is running can cause instabilities.
(1.22) 14603 Status of the 'noexec' option for '/tmp' partition using 'mount' command
The '/tmp' directory is often used as a temporary data directory with world-writable content. To prevent any malicious activity on the shared space, use of appropriate security measures such as using 'noexec' option while using separate partition for '/tmp' is recommended. Mounting file systems with 'noexec' prevents execution of any binaries on the partition and thus, should be set according to the business needs and organization's security policies.
Remediation: # Run the following command to add the noexec option and remount the partition. $sudo mount -o remount,noexec [partition]
Example:
$sudo mount -o remount,noexec /tmp
Note: Remounting partitions while system is running can cause instabilities.
```
Solution
- Created a separate partition for the `tmp` and added an entry in `/etc/fstab` to add all the required mount options as suggested by the CIS report.
Testing Done
- `ab-pre-push`: http://selfservice.jenkins.delphix.com/job/github/job/delphix/job/appliance-build/job/appliance-build-orchestrator/job/pre-push/343/console - Failed due to [TOOL-25273](https://delphix.atlassian.net/browse/TOOL-25273)
- `ab-pre-push` `3rd July 24`: http://selfservice.jenkins.delphix.com/job/appliance-build-orchestrator-pre-push/8840/ ✅
- `Manual Testing`:
1. Created a VM with these changes and checked that `/tmp` is mounted with expected options ✅
```
delphix@ip-10-110-201-149:~$ mount | grep tmp
...
rpool/ROOT/delphix.xI8HSDr/tmp on /tmp type zfs (rw,nosuid,nodev,noexec,relatime,xattr,noacl,casesensitive,x-systemd.before=zfs-import-cache.service)
...
```
2. Validated `noexec` flag ✅
```
delphix@ip-10-110-201-149:~$ echo -e '#!/bin/bash\necho "Script executed"' > /tmp/test_script.sh
delphix@ip-10-110-201-149:~$ chmod +x /tmp/test_script.sh
delphix@ip-10-110-201-149:~$ /tmp/test_script.sh
bash: /tmp/test_script.sh: Permission denied
```
3. Validated `nodev` flag ✅
```
delphix@ip-10-110-201-149:~$ sudo mknod /tmp/test_device c 1 5
delphix@ip-10-110-201-149:~$ cat /tmp/test_device
cat: /tmp/test_device: Permission denied
```
4. Validated `nosuid` flag ✅
```
Create a c program `test_suid.c` with this content:
#include
#include
int main() {
printf("UID: %d\n", getuid());
return 0;
}
delphix@ip-10-110-201-149:~$ gcc test_suid.c -o test_suid
delphix@ip-10-110-201-149:~$ mv test_suid /tmp/
delphix@ip-10-110-201-149:~$ sudo chown root:root /tmp/test_suid
delphix@ip-10-110-201-149:~$ sudo chmod u+s /tmp/test_suid
delphix@ip-10-110-201-149:~$ /tmp/test_suid
bash: /tmp/test_suid: Permission denied
```
5. Upgrade testing [`24.0` -> `25.0`] ❌
- Upgrade Job: http://selfservice.jenkins.delphix.com/job/blackbox-self-service/140021/testReport/ ✅
- After the upgrade the `/tmp` is not mounted using the expected options as the changes are not applied.
```
delphix@ip-10-110-244-60:/tmp$ mount | grep tmp
udev on /dev type devtmpfs (rw,nosuid,noexec,relatime,size=3726396k,nr_inodes=931599,mode=755,inode64)
tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=750260k,mode=755,inode64)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755,inode64)
rpool/upgrade-logs on /var/tmp/delphix-upgrade type zfs (rw,relatime,xattr,noacl,casesensitive)
tmpfs on /run/user/65433 type tmpfs (rw,nosuid,nodev,relatime,size=750256k,mode=700,uid=65433,gid=50,inode64)
```
- We need to figure out on how to apply these changes post-upgrade.
``` (1.15) 7394 Status of the '/tmp partition' setting in the '/etc/fstab' file The '/tmp' directory is often used as a temporary data directory with world-writable content. To mitigate the risk of DoS flood and privilege escalation attacks, the '/tmp' directory should be moved onto a separate partition to manage these risks and this setting should be configured according to the security policies and needs of the business. Remediation: The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. (1.16) 13243 Status of '/tmp' partition using mount command Typically , the '/tmp' directory is used for storing temporary data with world-writable content. To mitigate the risk of DoS flood and privilege escalation attacks, it is recommended to have separate partition for '/tmp' directory. Thus, partition for '/tmp' directory should be defined in accordance to the business needs and organization's security policies. The following List String value(s) X indicates the status of '/tmp' partition using mount command. The result consists of file system, partition, partition type and options set for the partition. Remediation: The '/tmp' directory is used by daemons and other system services to store frequently-changing data. Ensure that '/tmp' has its own partition or logical volume at installation time, or migrate it using LVM (1.18) 14599 Status of the 'nodev' option for '/tmp' partition using 'mount' command The '/tmp' directory is often used as a temporary data directory with world-writable content and is not intended as a mount point for character or block devices. Allowing devices to be mounted on the '/tmp' partition, greatly increases the risks from unauthorized access, corruption or deletion of data by unauthorized/malicious users or programs. Therefore, the 'nodev' mount option for the '/tmp' partition should be configured according to the business needs and organization's security policies. The following List String value(s) X indicates the status of '/tmp' partition using mount command. The result consists of file system, partition, partition type and options set for the partition. Remediation: # Run the following command to add the nodev option and remount the partition. $sudo mount -o remount,nodev [partition] Example: $sudo mount -o remount,nodev /tmp Note: Remounting partitions while system is running can cause instabilities. (1.20) 14602 Status of the 'nosuid' option for '/tmp' partition using 'mount' command The '/tmp' directory is often used as a temporary data directory with world-writable content. To prevent resource exhaustion or any malicious use of the shared space, use of appropriate security measures such as using 'nosuid' option while using separate partition for '/tmp' is recommended. Mounting file systems with 'nosuid' can prevent the introduction of rogue set-UID programs or file tampering (when a file system is mounted 'nosuid', then the set-UID bit on executables is ignored), and thus, should be set according to the business needs and organization's security policies. Remediation: # Run the following command to add the nosuid option and remount the partition. $sudo mount -o remount,nosuid [partition] Example: $sudo mount -o remount,nosuid /tmp Note: Remounting partitions while system is running can cause instabilities. (1.22) 14603 Status of the 'noexec' option for '/tmp' partition using 'mount' command The '/tmp' directory is often used as a temporary data directory with world-writable content. To prevent any malicious activity on the shared space, use of appropriate security measures such as using 'noexec' option while using separate partition for '/tmp' is recommended. Mounting file systems with 'noexec' prevents execution of any binaries on the partition and thus, should be set according to the business needs and organization's security policies. Remediation: # Run the following command to add the noexec option and remount the partition. $sudo mount -o remount,noexec [partition] Example: $sudo mount -o remount,noexec /tmp Note: Remounting partitions while system is running can cause instabilities. ```Problem
- Created a separate partition for the `tmp` and added an entry in `/etc/fstab` to add all the required mount options as suggested by the CIS report.Solution
- `ab-pre-push`: http://selfservice.jenkins.delphix.com/job/github/job/delphix/job/appliance-build/job/appliance-build-orchestrator/job/pre-push/343/console - Failed due to [TOOL-25273](https://delphix.atlassian.net/browse/TOOL-25273) - `ab-pre-push` `3rd July 24`: http://selfservice.jenkins.delphix.com/job/appliance-build-orchestrator-pre-push/8840/ ✅ - `Manual Testing`: 1. Created a VM with these changes and checked that `/tmp` is mounted with expected options ✅ ``` delphix@ip-10-110-201-149:~$ mount | grep tmp ... rpool/ROOT/delphix.xI8HSDr/tmp on /tmp type zfs (rw,nosuid,nodev,noexec,relatime,xattr,noacl,casesensitive,x-systemd.before=zfs-import-cache.service) ... ``` 2. Validated `noexec` flag ✅ ``` delphix@ip-10-110-201-149:~$ echo -e '#!/bin/bash\necho "Script executed"' > /tmp/test_script.sh delphix@ip-10-110-201-149:~$ chmod +x /tmp/test_script.sh delphix@ip-10-110-201-149:~$ /tmp/test_script.sh bash: /tmp/test_script.sh: Permission denied ``` 3. Validated `nodev` flag ✅ ``` delphix@ip-10-110-201-149:~$ sudo mknod /tmp/test_device c 1 5 delphix@ip-10-110-201-149:~$ cat /tmp/test_device cat: /tmp/test_device: Permission denied ``` 4. Validated `nosuid` flag ✅ ``` Create a c program `test_suid.c` with this content: #includeTesting Done