From 5207388f969e5574c4a7220373d6fae6f5b7811b Mon Sep 17 00:00:00 2001 From: magicwave18 <1277614190@qq.com> Date: Wed, 26 Apr 2023 20:18:10 +0800 Subject: [PATCH] Added benchmark,remediation-kits,scanners for rule 1.53-ensure-mounting-of-squashfs-filesystems-is-disabled MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: #I6YVCL Signed-off-by: 陈宇 --- ...ing-of-squashfs-filesystems-is-disabled.md | 57 +++++++++++++++++++ docs/summary-of-rules.md | 5 +- ...ing-of-squashfs-filesystems-is-disabled.sh | 14 +++++ ...ing-of-squashfs-filesystems-is-disabled.sh | 7 +++ 4 files changed, 81 insertions(+), 2 deletions(-) create mode 100644 benchmarks/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.md create mode 100644 remediation-kits/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh create mode 100644 scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh diff --git a/benchmarks/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.md b/benchmarks/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.md new file mode 100644 index 0000000..9f3bb0e --- /dev/null +++ b/benchmarks/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.md @@ -0,0 +1,57 @@ +# 确保已禁用 squashfs 文件系统的挂载 + +## 安全等级 + +- level 1 + +## 描述 + +squashfs 文件系统类型是一种压缩的只读 Linux 文件系统,常用于小型嵌入式系统。可以直接使用 squashfs 镜像而不需要解压。 + +删除不需要的文件系统类型的支持可以减少系统的受攻击面。如果不需要这种文件系统类型,请禁用。 + +由于 Snap 包使用 squashfs 作为压缩文件系统,禁用 squashfs 将导致 Snap 包不可用。Linux发行版一般内置了Snap软件包。Snap 与传统的 Linux 软件包管理方法(如 APT 或 RPM)不同,后者在进行更新应用程序时需要根据每个 Linux 发行版对软件包特别适配,因此导致从开发到发布应用的时间变长。Snap 可以从任何来源获得,不依赖于应用商店,可以用于上游软件部署。 + +## 修复建议 + +1. 编辑或创建`/etc/modprobe.d/squashfs.conf`文件,并添加内容: + +```shell +printf "install squashfs /bin/false +blacklist squashfs +" >> /etc/modprobe.d/squashfs.conf +``` + +2. 运行以下命令以卸载 squashfs 模块: + +```shell +# modprobe -r squash +``` + +## 扫描检测 + +运行以下命令并验证输出是否如指示的那样。 + +1. 模块将如何被加载 + +```bash +# modprobe -n -v squashfs | grep "^install" +install /bin/false +``` + +2. 模块当前是否已加载 +```bash +# lsmod | grep squashfs + +``` + +3. 模块是否被列入黑名单 + +```bash +# grep -E "^blacklist\s+squashfs" /etc/modprobe.d/* +/etc/modprobe.d/squashfs.conf:blacklist squashfs +``` + +## 参考 + +- cis: https://www.cisecurity.org/benchmark/aliyun_linux diff --git a/docs/summary-of-rules.md b/docs/summary-of-rules.md index 4176a60..76541ef 100644 --- a/docs/summary-of-rules.md +++ b/docs/summary-of-rules.md @@ -50,8 +50,9 @@ | 1.48 | 1.48-restrict-the-terminals-that-can-be-managed-over-the-network.md | 1.48 对通过网络进行管理的终端进行限制 | benchmarks/access-and-control | 2 | | 1.49 | 1.49-lock-or-delete-the-shutdown-and-halt-users.md | 1.49 锁定或删除shutdown、halt用户 | benchmarks/access-and-control | 1 | | 1.50 | 1.50-ensure-ssh-x11-forwarding-is-disabled.md | 1.50 确保SSH X11转发功能被禁用 | benchmarks/access-and-control | 1 | -| 1.51 | 1.51-ensure-mounting-of-udf-filesystems-is-disabled.md | 1.51 确保udf文件系统的挂载被禁用 | benchmarks/access-and-control | 1 | -| 1.52 | 1.52-ensure-mounting-of-cramfs-filesystems-is-disabled | 1.52 确保cramfs文件系统的挂载被禁用 | benchmarks/access-and-control | 1 | +| 1.51 | 1.51-ensure-mounting-of-udf-filesystems-is-disabled.md | 1.51 确保udf文件系统的挂载被禁用 | benchmarks/access-and-control | 1 | +| 1.52 | 1.52-ensure-mounting-of-cramfs-filesystems-is-disabled | 1.52 确保cramfs文件系统的挂载被禁用 | benchmarks/access-and-control | 1 | +| 1.53 | 1.53-ensure-mounting-of-squashfs-filesystems-is-disabled | 1.52 确保squashfs文件系统的挂载被禁用 | benchmarks/access-and-control | 1 | | 2.1 | 2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.md | 2.1 确保审计日志的文件权限被正确配置 | benchmarks/logging-and-auditing | 1 | | 2.2 | 2.2-ensure-only-authorized-users-own-audit-log-files.md | 2.2 确保审计日志文件的所有者为已授权用户 | benchmarks/logging-and-auditing | 1 | | 2.3 | 2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.md | 2.3 确保审计日志文件的所属组为已授权的用户组 | benchmarks/logging-and-auditing | 1 | diff --git a/remediation-kits/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh b/remediation-kits/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh new file mode 100644 index 0000000..ff33807 --- /dev/null +++ b/remediation-kits/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh @@ -0,0 +1,14 @@ +file=/etc/modprobe.d/squashfs.conf +if test -e "$file"; then + fileContent=$(cat /etc/modprobe.d/squashfs.conf) + targetContent="install squashfs /bin/false blacklist squashfs" + result=$(echo $fileContent | grep "install squashfs /bin/false blacklist squashfs") + if [[ "$result" == "" ]]; then + echo "install squashfs /bin/false" >> /etc/modprobe.d/squashfs.conf + echo "blacklist squashfs" >> /etc/modprobe.d/squashfs.conf + fi +else + echo "install squashfs /bin/false" >> /etc/modprobe.d/squashfs.conf + echo "blacklist squashfs" >> /etc/modprobe.d/squashfs.conf +fi +modprobe -r squashfs \ No newline at end of file diff --git a/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh b/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh new file mode 100644 index 0000000..bf2195c --- /dev/null +++ b/scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh @@ -0,0 +1,7 @@ +result=false +modprobe -n -v squashfs | grep -q "install" && test -z "$(lsmod | grep -e squashfs)" && grep -E -q "^blacklist\s+squashfs" /etc/modprobe.d/* && result=true +if [ "$result" = true ]; then + echo "pass" +else + echo "fail" +fi \ No newline at end of file -- Gitee