content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

Test for mount-options on `/tmp` are incomplete

Open ferricoxide opened this issue 2 years ago • 2 comments

Description of problem:

Remediation- and scan-profiles don't know how to deal with systems where /tmp is a pseudofilesystem (managed by the tmp.mount systemd service).

SCAP Security Guide Version:

0.1.68

Operating System Version:

Red Hat 8.8

Steps to Reproduce:

  1. Install compliance-as-code tooling on RHEL 8 system configured with the tmp.mount service enabled
  2. Executed the bundled remediation automation-content
  3. Reboot system
  4. Perform a compliance scan
  5. Receive a scan-report calling out /tmp missing the required mount-option

Actual Results:

Scan-results call out call out /tmp missing the required mount-option

Expected Results:

Scan-results should not call out call out /tmp missing the required mount-option

Additional Information/Debugging Steps:

Instead of testing just /etc/fstab, scan should also test for actual mount-options in /proc/mounts and any specified in systemd file, /etc/systemd/system/tmp.mount.d/options.conf

Recommended additions:

  1. Check for presence of an /etc/systemd/system/tmp.mount.d/options.conf file
  2. If /etc/systemd/system/tmp.mount.d/options.conf file exists, check requested mount-options: 
    # cat /etc/systemd/system/tmp.mount.d/options.conf
[Mount]
Options=mode=1777,strictatime,nosuid,noexec,nodev

ferricoxide avatar Oct 06 '23 14:10 ferricoxide

Okay, but how exactly the /tmp is mounted? What is the output of mount?

evgenyz avatar Nov 14 '23 11:11 evgenyz 

$ mount | grep -w /tmp
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,seclabel)

$ grep -w /tmp /proc/mounts
tmpfs /tmp tmpfs rw,seclabel,nosuid,nodev,noexec 0 0

$ cat /etc/systemd/system/tmp.mount.d/options.conf
[Mount]
Options=mode=1777,strictatime,nosuid,noexec,nodev

$ systemctl status tmp.mount
● tmp.mount - Temporary Directory (/tmp)
   Loaded: loaded (/usr/lib/systemd/system/tmp.mount; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/tmp.mount.d
           └─options.conf
   Active: active (mounted) since Tue 2023-11-14 17:53:53 UTC; 30min ago
    Where: /tmp
     What: tmpfs
     Docs: man:hier(7)
           https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
    Tasks: 0 (limit: 47920)
   Memory: 4.0K
   CGroup: /system.slice/tmp.mount

ferricoxide avatar Nov 14 '23 18:11 ferricoxide