Puppet Class: cis_security_hardening::rules::nfs_noexec

Defined in:
manifests/rules/nfs_noexec.pp

Summary

Ensure noexec option is configured for NFS.

Overview

The operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).

Rationale: The “noexec” mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Examples:

class { 'cis_security_hardening::rules::nfs_noexec':
  enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule



21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
 
# File 'manifests/rules/nfs_noexec.pp', line 21

class cis_security_hardening::rules::nfs_noexec (
  Boolean $enforce = false,
) {
  if $enforce {
    $nfs = fact('cis_security_hardening.nfs_file_systems') ? {
      undef   => {},
      default => fact('cis_security_hardening.nfs_file_systems'),
    }

    $nfs.each |$fs, $data| {
      cis_security_hardening::set_mount_options { "${fs}-noexec":
        mountpoint   => $fs,
        mountoptions => 'noexec',
      }
    }
  }
}