From a3b414ea9588f7b66d3055ae1c75b550fbe95794 Mon Sep 17 00:00:00 2001 From: YuQing-Rain Date: Tue, 23 May 2023 10:32:04 +0800 Subject: [PATCH] Add the services/3.28 rule. Signed-off-by: Haoji_Zhang Signed-off-by: YuQing-Rain --- .../services/3.28-disable-automounting.md | 49 +++++++++++++++++++ docs/summary-of-rules.md | 1 + .../services/3.28-disable-automounting.sh | 1 + .../services/3.28-disable-automounting.sh | 10 ++++ 4 files changed, 61 insertions(+) create mode 100644 benchmarks/services/3.28-disable-automounting.md create mode 100644 remediation-kits/services/3.28-disable-automounting.sh create mode 100644 scanners/services/3.28-disable-automounting.sh diff --git a/benchmarks/services/3.28-disable-automounting.md b/benchmarks/services/3.28-disable-automounting.md new file mode 100644 index 0000000..65a729a --- /dev/null +++ b/benchmarks/services/3.28-disable-automounting.md @@ -0,0 +1,49 @@ +# 3.28 禁用自动挂载 + +## 安全等级 + +- Level 1 + +## 描述 + +`autofs` 允许自动安装外设,通常包括 `CD/DVD` 和 `USB` 驱动器。当启用自动挂载后,任何可以访问设备的用户,即使他们没有权限装载外设,也可以在服务器或主机上连接`USB`驱动器或光盘,并在系统中读取、改动他们的内容。协作工作的企业用户习惯于使用便携式存储设备,如果用户的管理者允许其在工作站上使用便携式存储和媒体设备,并且对工作站服务设备的访问权限是足够的,那么关闭自动挂载几乎没有什么价值。 + +## 修复建议 + +1. 如果有其他安装包依赖于`autofs`,请使用以下命令禁用`autofs`服务: + +```bash +# systemctl --now disable autofs +``` + +2. 如果没有其他依赖于 `autofs` 的包,请使用以下命令卸载autofs软件包: + +```bash +# dnf remove autofs -y +``` + +## 扫描检测 + +除非其他包依赖于`autofs`或是缺失需要自动挂载功能,否则不建议安装`autofs`。 + +1. 运行以下命令来检测`autofs`是否被成功禁用或移除: + +```bash +# systemctl is-enabled autofs +disabled +``` + +```bash +# systemctl is-enabled autofs +Failed to get unit file state for autofs.service: No such file or directory +``` + +- 如返回`disabled`,则表示当前系统已安装了`autofs`软件包,但未启用。**通过检查(pass)** + +- 如返回`Failed to get unit file state for autofs.service: No such file or directory`,则表示当前系统未安装`autofs`软件包。**通过检查(pass)** + +- 如返回`enabled`,则表示当前系统已安装了`autofs`软件包,且已启用。**未通过检查,需处理(fail)** + +## 参考 + +- cis: \ No newline at end of file diff --git a/docs/summary-of-rules.md b/docs/summary-of-rules.md index 7967c22..e67ff26 100644 --- a/docs/summary-of-rules.md +++ b/docs/summary-of-rules.md @@ -106,6 +106,7 @@ | 3.25 | 3.25-ensure-xinetd-is-not-installed.md | 3.25 确保xinetd被卸载 | benchmarks/services | 1 | | 3.26 | 3.26-disable-usb-storage.md | 3.26 禁用USB存储 | benchmarks/services | 1 | | 3.27 | 3.27-ensure-time-synchronization-is-installed.md | 3.27 确保时间同步服务已安装 | benchmarks/services | 1 | +| 3.28 | 3.28-disable-automounting.md | 3.28 禁用自动挂载 | benchmarks/services | 1 | | 4.1 | 4.1-ensure-message-of-the-day-is-configured-properly.md | 4.1 确保登录提示消息的内容符合要求 | benchmarks/system-configurations | 1 | | 4.2 | 4.2-ensure-local-login-warning-banner-is-configured-properly.md | 4.2 确保本地登录提示消息的内容符合要求 | benchmarks/system-configurations | 1 | | 4.3 | 4.3-ensure-remote-login-warning-banner-is-configured-properly.md | 4.3 确保远程登录提示消息的内容符合要求 | benchmarks/system-configurations | 1 | diff --git a/remediation-kits/services/3.28-disable-automounting.sh b/remediation-kits/services/3.28-disable-automounting.sh new file mode 100644 index 0000000..d1adc9c --- /dev/null +++ b/remediation-kits/services/3.28-disable-automounting.sh @@ -0,0 +1 @@ +(rpm -e --test autofs && dnf remove -y autofs) || systemctl --now disable autofs \ No newline at end of file diff --git a/scanners/services/3.28-disable-automounting.sh b/scanners/services/3.28-disable-automounting.sh new file mode 100644 index 0000000..fc9286d --- /dev/null +++ b/scanners/services/3.28-disable-automounting.sh @@ -0,0 +1,10 @@ +rpmAutofs=$(rpm -qa | grep ^autofs) +[[ -z $rpmAutofs ]] || sysAutofs=$(systemctl is-enabled autofs) + +if [[ -z $rpmAutofs ]]; then + echo 'pass' +elif [[ $sysAutofs == 'disabled' ]]; then + echo 'pass' +else + echo 'fail' +fi \ No newline at end of file -- Gitee