Puppet Class: cis_security_hardening::rules::tmp_noexec

Defined in:
manifests/rules/tmp_noexec.pp

Summary

Ensure noexec option set on /tmp partition

Overview

The noexec mount option specifies that the filesystem cannot contain executable binaries.

Rationale: Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp .

Examples:

class { 'cis_security_hardening::rules::tmp_noexec':
    enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule



19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 
# File 'manifests/rules/tmp_noexec.pp', line 19

class cis_security_hardening::rules::tmp_noexec (
  Boolean $enforce = false,
) {
  if ($enforce) {
    $mps = fact('mountpoints') ? {
      undef   => {},
      default => fact('mountpoints')
    }
    if cis_security_hardening::hash_key($mps, '/tmp') and
    cis_security_hardening::hash_key($mps['/tmp'], 'device') and
    $mps['/tmp']['device'] != 'tmpfs' {
      cis_security_hardening::set_mount_options { '/tmp-noexec':
        mountpoint   => '/tmp',
        mountoptions => 'noexec',
      }
    }
  }
}