florianutz / ubuntu2004_cis

Ubuntu CIS Hardening Ansible Role
MIT License
109 stars 67 forks source link

tmp_mount_options added noexec to Debian #34

Closed netzzwerch closed 2 years ago

netzzwerch commented 2 years ago

Hi, Change ist based on the CIS benchmarks.

florianutz commented 2 years ago

You have to keep in mind that apt may fail when you set noexec on /tmp. That is the reason why default value deviate from Benchmark recommendation. But you're right, it should be explicitly mentioned. Everyone can set the variable in their playbook to be CIS compliant if they want to, or if their system has no problem with it.

florianutz commented 2 years ago

Default values remain as they are. Anyone who wants to can overwrite the values for their own environment.