Puppet Class: cis_security_hardening::rules::home_nosuid

Defined in:
manifests/rules/home_nosuid.pp

Summary

Ensure nosuid option set on /home partition

Overview

The nosuid mount option specifies that the filesystem cannot contain setuid files.

Rationale: Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home.

Examples:

class { 'cis_security_hardening::rules::home_nosuid':
  enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule.



19
20
21
22
23
24
25
26
27
28
 
# File 'manifests/rules/home_nosuid.pp', line 19

class cis_security_hardening::rules::home_nosuid (
  Boolean $enforce = false,
) {
  if ($enforce) and cis_security_hardening::hash_key($facts['mountpoints'], '/home') {
    cis_security_hardening::set_mount_options { '/home-nosuid':
      mountpoint   => '/home',
      mountoptions => 'nosuid',
    }
  }
}