From 61e040a9259ff4848457678358245b7546f53146 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 3 Jul 2023 13:03:37 -0500 Subject: [PATCH 01/15] Add new missing mount platforms --- shared/applicability/mount.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/shared/applicability/mount.yml b/shared/applicability/mount.yml index 095f0c77295..ca1fa0981ad 100644 --- a/shared/applicability/mount.yml +++ b/shared/applicability/mount.yml @@ -6,7 +6,19 @@ ansible_conditional: {{{ ansible_mount_conditional("{mountpoint}") }}} template: name: platform_mount args: + home: + mountpoint: /home + opt: + mountpoint: /opt + srv: + mountpoint: /srv tmp: mountpoint: /tmp + var: + mountpoint: /var + var-log: + mountpoint: /var/log + var-log-audit: + mountpoint: /var/log/audit var-tmp: mountpoint: /var/tmp From 018d04013f8c212afcc3237d19e5575c6eae971c Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 3 Jul 2023 13:10:51 -0500 Subject: [PATCH 02/15] Add mount platform to mount_option_var_noexec --- .../permissions/partitions/mount_option_var_noexec/rule.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml index e63be022fb7..d617a3b2eba 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_noexec/rule.yml @@ -6,7 +6,7 @@ title: 'Add noexec Option to /var' description: |- The noexec mount option can be used to prevent binaries from being - executed out of /var. + executed out of /var. {{{ describe_mount(option="noexec", part="/var") }}} rationale: |- @@ -29,7 +29,7 @@ references: cis@alinux3: 1.1.3.2 cis@rhel8: 1.1.3.3 -platform: machine +platform: machine and mount[var] template: name: mount_option From dcd69aeb97e13b947927e35203d1f30f9fde0235 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 3 Jul 2023 13:11:55 -0500 Subject: [PATCH 03/15] Add mount platform to mount_option_var_nodev --- .../permissions/partitions/mount_option_var_nodev/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml index 67b539543a8..d2723fd05fc 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml @@ -34,7 +34,7 @@ references: nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 srg: SRG-OS-000368-GPOS-00154 -platform: machine +platform: machine and mount[var] template: name: mount_option From 42d8b1d1739609c9bb87d438ceeb7cefb691409b Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 3 Jul 2023 13:12:29 -0500 Subject: [PATCH 04/15] Add mount platform to mount_option_var_log_nosuid --- .../permissions/partitions/mount_option_var_log_nosuid/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml index 437b4850ff7..c463963115e 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml @@ -39,7 +39,7 @@ references: stigid@ol8: OL08-00-040127 stigid@rhel8: RHEL-08-040127 -platform: machine +platform: machine and mount[var-log] template: name: mount_option From f4503031a4a7b2c0f3ce50fa15b515c2d0281505 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 3 Jul 2023 13:14:51 -0500 Subject: [PATCH 05/15] Add mount platform to mount_option_var_log_noexec --- .../permissions/partitions/mount_option_var_log_noexec/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml index ff078319b8f..e3885b4974f 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml @@ -38,7 +38,7 @@ references: stigid@ol8: OL08-00-040128 stigid@rhel8: RHEL-08-040128 -platform: machine +platform: machine and mount[var-log] template: name: mount_option From 0d40abc6ccdf321863092f02c4ce93a59bd44dea Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 3 Jul 2023 13:16:34 -0500 Subject: [PATCH 06/15] Add mount platform to mount_option_var_log_nodev --- .../permissions/partitions/mount_option_var_log_nodev/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml index 81ee133e871..b59aeba7f8d 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml @@ -37,7 +37,7 @@ references: stigid@ol8: OL08-00-040126 stigid@rhel8: RHEL-08-040126 -platform: machine +platform: machine and mount[var-log] template: name: mount_option From 498c5ae434f7cd9b98d5dbdebd7fdb6c5d94ce4d Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 3 Jul 2023 13:17:45 -0500 Subject: [PATCH 07/15] Add mount platform to mount_option_var_log_audit_nosuid --- .../partitions/mount_option_var_log_audit_nosuid/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml index 24cf0d98571..38c807ee5eb 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml @@ -36,7 +36,7 @@ references: stigid@ol8: OL08-00-040130 stigid@rhel8: RHEL-08-040130 -platform: machine +platform: machine and mount[var-log-audit] template: name: mount_option From 95dce53aeba6e6aea4593833cbbaf84896fd6925 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 3 Jul 2023 13:18:04 -0500 Subject: [PATCH 08/15] Add mount platform to mount_option_var_log_audit_noexec --- .../partitions/mount_option_var_log_audit_noexec/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml index 2a16d8d3e59..f5c55f7d49e 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml @@ -35,7 +35,7 @@ references: stigid@ol8: OL08-00-040131 stigid@rhel8: RHEL-08-040131 -platform: machine +platform: machine and mount[var-log-audit] template: name: mount_option From 523a0b0b5bdbf0fd8738da7c57d506c5a116fb45 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 3 Jul 2023 13:18:26 -0500 Subject: [PATCH 09/15] Add mount platform to mount_option_var_log_audit_nodev --- .../partitions/mount_option_var_log_audit_nodev/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml index 8817468a941..844f31d1874 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml @@ -37,7 +37,7 @@ references: stigid@ol8: OL08-00-040129 stigid@rhel8: RHEL-08-040129 -platform: machine +platform: machine and mount[var-log-audit] template: name: mount_option From 7475c9720a9ef11967528e8144e1d11ed0060006 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 3 Jul 2023 13:19:19 -0500 Subject: [PATCH 10/15] Add mount platform to mount_option_srv_nosuid --- .../permissions/partitions/mount_option_srv_nosuid/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml index a0631bf67a2..5ff970bd76d 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_srv_nosuid/rule.yml @@ -29,7 +29,7 @@ identifiers: references: anssi: BP28(R12) -platform: machine +platform: machine and mount[srv] template: name: mount_option From 2f588d3c12a40120b995b3f4c38a04d42210eabc Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 3 Jul 2023 13:19:49 -0500 Subject: [PATCH 11/15] Add mount platform to mount_option_opt_nosuid --- .../permissions/partitions/mount_option_opt_nosuid/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml index 25a4b382f1f..b7ec9c5696b 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml @@ -29,7 +29,7 @@ identifiers: references: anssi: BP28(R12) -platform: machine +platform: machine and mount[opt] template: name: mount_option From 8beac58843da2580736abce98e412d70047b9d0b Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 3 Jul 2023 13:22:29 -0500 Subject: [PATCH 12/15] Add mount platform to mount_option_home_usrquota --- .../partitions/mount_option_home_usrquota/rule.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml index c9c3440eaec..86536b37530 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_usrquota/rule.yml @@ -25,7 +25,7 @@ references: cis@rhel8: 1.1.7.4 nist: CM-6(b) -platform: machine + {{{ complete_ocil_entry_mount_option("/home", "usrquota") }}} @@ -53,11 +53,13 @@ warnings: {{% endif %}} {{% if "ol" in product %}} +platform: machine template: name: mount_option_home vars: mountoption: usrquota {{% else %}} +platform: machine and mount[home] template: name: mount_option vars: From 0931a100811454a33e265ca29027a277debaf048 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 3 Jul 2023 13:28:44 -0500 Subject: [PATCH 13/15] Add mount platform to mount_option_home_nosuid --- .../permissions/partitions/mount_option_home_nosuid/rule.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml index adcad278a3d..5e42ac0a7e5 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml @@ -46,7 +46,6 @@ references: stigid@sle12: SLES-12-010790 stigid@sle15: SLES-15-040140 -platform: machine {{{ complete_ocil_entry_mount_option("/home", "nosuid") }}} @@ -56,12 +55,14 @@ fixtext: |- srg_requirement: '{{{ srg_requirement_mount_option("/home", "nosuid") }}}' {{% if "ol" not in product %}} +platform: machine and mount[home] template: name: mount_option vars: mountpoint: /home mountoption: nosuid {{% else %}} +platform: machine warnings: - functionality: |- OVAL looks for partitions whose mount point is a substring of any interactive user's home From 9efe859ec80b366c308edb11bff56562b7b34ceb Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 3 Jul 2023 13:38:09 -0500 Subject: [PATCH 14/15] Add mount platform to mount_option_home_nodev --- .../permissions/partitions/mount_option_home_nodev/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml index 9d237c21cce..d454139b425 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nodev/rule.yml @@ -42,7 +42,7 @@ references: cis@ubuntu2204: 1.1.7.2 srg: SRG-OS-000368-GPOS-00154 -platform: machine +platform: machine and mount[home] template: name: mount_option From 1e3ed5a067803355604cf9750ec89013ba9ae990 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 3 Jul 2023 13:39:43 -0500 Subject: [PATCH 15/15] Add mount platform to mount_option_home_grpquota --- .../partitions/mount_option_home_grpquota/rule.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml index 5aabb537e90..dfc449d17c3 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_grpquota/rule.yml @@ -25,8 +25,6 @@ references: cis@rhel8: 1.1.7.5 nist: CM-6(b) -platform: machine - {{{ complete_ocil_entry_mount_option("/home", "grpquota") }}} fixtext: '{{{ fixtext_mount_option("/home", "grpquota") }}}' @@ -53,11 +51,13 @@ warnings: {{% endif %}} {{% if "ol" in product %}} +platform: machine template: name: mount_option_home vars: mountoption: grpquota {{% else %}} +platform: machine and mount[home] template: name: mount_option vars: