Add grpquota Option to /home
An XCCDF Rule
Description
The grpquota
mount option allows for the filesystem to have disk quotas configured.
Add the grpquota
option to the fourth column of
/etc/fstab
for the line which controls mounting of
/home
.
warning alert: Warning
The quota options for XFS file systems can only be activated when mounting the partition.
It is not possible to enable them by remounting an already mounted partition. Therefore,
if the desired options were not defined before mounting the partition, dismount and mount
it again to apply the quota options.
warning alert: Functionality Warning
OVAL looks for partitions whose mount point is a substring of any interactive user's home
directory and validates that grpquota option is there. Because of this, there could be
false negatives when several partitions share a base substring. For example, if there is a
home directory in
Bash remediation uses the
/var/tmp/user1
and there are partitions mounted in
/var
and /var/tmp
. The grpquota option is only expected in
/var/tmp
, but OVAL will check both.Bash remediation uses the
df
command to find out the partition where the home
directory is mounted. However, if the directory doesn't exist the remediation won't be
applied.Rationale
To ensure the availability of disk space on /home, it is important to limit the impact a single user or group can cause for other users (or the wider system) by intentionally or accidentally filling up the partition. Quotas can also be applied to inodes for filesystems where inode exhaustion is a concern.
- ID
- xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-CM-6(b)
- configure_strategy
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then
function perform_remediation (){
mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" $1)"