Puppet Class: cis_security_hardening::rules::tmp_filesystem
- Defined in:
- manifests/rules/tmp_filesystem.pp
Summary
Ensure /tmp is configuredOverview
The /tmp directory is a world-writable directory used for temporary storage by all users and some applications.
Rationale: Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.
This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp.
32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 |
# File 'manifests/rules/tmp_filesystem.pp', line 32
class cis_security_hardening::rules::tmp_filesystem (
Boolean $enforce = false,
Integer $size = 0,
Boolean $enable = true,
) {
if $enforce {
$file = '/etc/systemd/system/tmp.mount'
case $facts['os']['name'].downcase() {
'ubuntu': {
$epp = 'tmp.mount.ubuntu.epp'
}
'debian': {
$epp = 'tmp.mount.debian.epp'
}
'sles': {
$epp = 'tmp.mount.sles.epp'
}
'redhat': {
unless $facts['os']['release']['major'] >= '8' {
$epp = 'tmp.mount.epp'
} else {
$epp = ''
}
}
default: {
$epp = 'tmp.mount.epp'
}
}
if !empty($epp) {
file { $file:
ensure => file,
content => epp("cis_security_hardening/rules/common/${epp}", {
size => $size,
}),
owner => 'root',
group => 'root',
mode => '0644',
notify => Exec['systemd-daemon-reload'],
}
}
ensure_resource('service', 'tmp.mount', {
ensure => running,
enable => $enable,
})
}
}
|