Puppet Class: cis_security_hardening::rules::var_noexec

Defined in:
manifests/rules/var_noexec.pp

Summary

Ensure noexec option set on /var partition

Overview

The noexec mount option specifies that the filesystem cannot contain executable binaries.

Rationale: Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot run executable binaries from /var.

Examples:

class { 'cis_security_hardening::rules::var_noexec':
  enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule.



19
20
21
22
23
24
25
26
27
28
 
# File 'manifests/rules/var_noexec.pp', line 19

class cis_security_hardening::rules::var_noexec (
  Boolean $enforce = false,
) {
  if ($enforce) and cis_security_hardening::hash_key($facts['mountpoints'], '/var') {
    cis_security_hardening::set_mount_options { '/var-noexec':
      mountpoint   => '/var',
      mountoptions => 'noexec',
    }
  }
}