Puppet Class: cis_security_hardening::rules::boot_nosuid

Defined in:
manifests/rules/boot_nosuid.pp

Summary

Ensure the "/boot" directory is mounted with the "nosuid" option.

Overview

The operating system must prevent files with the “setuid” and “setgid” bit set from being executed on the “/boot” directory.

Rationale: The “nosuid” mount option causes the system not to execute “setuid” and “setgid” files with owner privileges. This option must be used for mounting any file system not containing approved “setuid” and “setguid” files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Examples:

class { 'cis_security_hardening::rules::boot_nosuid':
  enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule.



20
21
22
23
24
25
26
27
28
29
 
# File 'manifests/rules/boot_nosuid.pp', line 20

class cis_security_hardening::rules::boot_nosuid (
  Boolean $enforce = false,
) {
  if ($enforce) and cis_security_hardening::hash_key($facts['mountpoints'], '/boot') {
    cis_security_hardening::set_mount_options { '/boot-nosuid':
      mountpoint   => '/boot',
      mountoptions => 'nosuid',
    }
  }
}