diff --git a/benchmarks/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.md b/benchmarks/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.md new file mode 100644 index 0000000000000000000000000000000000000000..fe906bc04a8d55505f09a6cf023546037c60b9b4 --- /dev/null +++ b/benchmarks/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.md @@ -0,0 +1,61 @@ +# 4.71 确保/var分区上设置nosuid选项 + +## 安全等级 + +- Level 3 + +## 描述 + +`nosuid`加载选项的让指定文件系统不包含`setuid`文件。由于`/var`路径下一般用于存放日志之类的可变文件,因此在此文件系统下增加`nosuid`配置,以确保用户不能在`/var`下创建可执行文件。 + +## 修复建议 + +目标:编辑`/etc/fstab`文件,在`/var`分区的第四个字段(加载选项)中添加`nosuid`。 + +1. 使用root权限打开`/etc/fstab`文件 + +```bash +sudo vim /etc/fstab +``` + +2. 修改`/var`分区配置,在第四个字段(defaults...)中增加`nosuid`参数。具体参考以下配置: + +```bash + /var defaults,nosuid 0 0 +``` + +注意,要用`,`隔开该选项的其他参数。 + +3. 保存并关闭文件。 + +4. 运行以下命令以使用配置的选项重新挂载 /var: + +```bash +# mount -o remount /var +``` + +## 扫描检测 + +验证是否为 `/var` 分区配置了 `nosuid` 参数。 + +1. 使用以下命令来验证 `/var`分区 是否已经配置了 `nosuid` 参数: + +```bash +# mount | grep '/var.*nosuid' +/dev/nvme0n2p1 on /var type ext4 (rw,nosuid,relatime) +``` + +如果输出中包含了 `/var` 并且有 `nosuid` 字段,则表示已经为 `/var` 挂载设置了 `nosuid` 选项。 + +2. 还可以使用以下命令来检查 `/etc/fstab` 文件是否包含了 `nosuid` 选项: + +```bash +# grep '/var' /etc/fstab | grep -o nosuid +nosuid +``` + +如果输出中有 `nosuid` 字段,则表示已经为 /var 挂载设置了 `nosuid` 选项。 + +## 参考 + +- cis: \ No newline at end of file diff --git a/docs/summary-of-rules.md b/docs/summary-of-rules.md index 37816b3b085685d68098306d90e6a09a8e453742..51c4b3dda1d339e38d00134ca8f34515c5349725 100644 --- a/docs/summary-of-rules.md +++ b/docs/summary-of-rules.md @@ -173,6 +173,7 @@ | 4.68 | 4.68-ensure-permissions-TMP-is-correct.md | 4.68 为公共目录/tmp添加粘贴位 | benchmarks/system-configurations | 1 | | 4.69 | 4.69-ensure-permissions-on-ssh-priv-and-pub-key-are-right.md | 4.69 严格要求SSH公私钥文件权限配置正确 | benchmarks/system-configurations | 3 | | 4.70 | 4.70-ensure-xdmcp-is-not-enabled.md | 4.70 确保没有启用XDMCP | benchmarks/system-configurations | 1 | +| 4.71 | 4.71-ensure-nosuid-option-set-on-var-partition-Automated.md | 4.71 确保/var分区上设置nosuid选项 | benchmarks/system-configurations | 3 | | 5.1 | 5.1-ensure-selinux-is-installed.md | 5.1 确保SElinux工具已安装 | benchmarks/mandatory-access-control | 1 | | 5.2 | 5.2-ensure-selinux-policy-is-configured.md | 5.2 确保SELinux调用mls策略 | benchmarks/mandatory-access-control | 3 | | 5.3 | 5.3-ensure-the-selinux-mode-is-enabled.md | 5.3 确保SELinux不是禁用模式 | benchmarks/mandatory-access-control | 3 | diff --git a/remediation-kits/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh b/remediation-kits/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh new file mode 100644 index 0000000000000000000000000000000000000000..c99d025ce7095358291461c43c7463ace76de23d --- /dev/null +++ b/remediation-kits/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh @@ -0,0 +1,6 @@ +if [[ -e /etc/fstab ]] && [[ -n "$(grep -Ps "\s+\/var\s+" /etc/fstab)" ]] && [[ -z "$(grep -Ps "\s+\/var\s+.*nosuid" /etc/fstab)" ]] ; then + varLine=$(grep -Pn "\s+\/var\s+" /etc/fstab | cut -d: -f1) + varCon=$(grep "\/var" /etc/fstab | awk '{print $4}') + sed -ri "${varLine}s/${varCon}/${varCon},nosuid/g" /etc/fstab + mount -o remount /var +fi \ No newline at end of file diff --git a/scanners/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh b/scanners/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh new file mode 100644 index 0000000000000000000000000000000000000000..b94142125a87b0de5321d8ada1ba89defc97c1ef --- /dev/null +++ b/scanners/system-configurations/4.71-ensure-nosuid-option-set-on-var-partition-Automated.sh @@ -0,0 +1 @@ +[[ -e /etc/fstab ]] && [[ -n $(grep -Ps "\s+\/var\s+.*nosuid" /etc/fstab) ]] && [[ -n $(findmnt --kernel /var | grep nosuid) ]] && echo "pass" || echo "fail" \ No newline at end of file