Add grpquota Option to /home

An XCCDF Rule

Description

The grpquota mount option allows for the filesystem to have disk quotas configured. Add the grpquota option to the fourth column of /etc/fstab for the line which controls mounting of /home.

warning alert: Warning

The quota options for XFS file systems can only be activated when mounting the partition. It is not possible to enable them by remounting an already mounted partition. Therefore, if the desired options were not defined before mounting the partition, dismount and mount it again to apply the quota options.

Rationale

To ensure the availability of disk space on /home, it is important to limit the impact a single user or group can cause for other users (or the wider system) by intentionally or accidentally filling up the partition. Quotas can also be applied to inodes for filesystems where inode exhaustion is a concern.

ID: xccdf_org.ssgproject.content_rule_mount_option_home_grpquota
Severity: Medium
References: CM-6(b)

CCE-86039-5
Updated: over 1 year ago

Remediation Templates

# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { findmnt --kernel "/home" > /dev/null || findmnt --fstab "/home" > /dev/null; }; then
function perform_remediation {
    
        # the mount point /home has to be defined in /etc/fstab
        # before this remediation can be executed. In case it is not defined, the        # remediation aborts and no changes regarding the mount point are done.
        mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" "/home")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" /home)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|grpquota)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
        fs_type=""
        if [  "$fs_type" == "iso9660" ] ; then
            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
        fi
        echo " /home  defaults,${previous_mount_opts}grpquota 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "grpquota"; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,grpquota|" /etc/fstab
    fi


    if mkdir -p "/home"; then
        if mountpoint -q "/home"; then
            mount -o remount --target "/home"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

part /home --mountoptions="grpquota"

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-86039-5
  - NIST-800-53-CM-6(b)  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_grpquota
  - no_reboot_needed
- name: 'Add grpquota Option to /home: Check information associated to mountpoint'
  command: findmnt --fstab '/home'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when:
  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
    in ["docker", "lxc", "openvz", "podman", "container"] ) )
  - '"/home" in ansible_mounts | map(attribute="mount") | list'
  tags:
  - CCE-86039-5
  - NIST-800-53-CM-6(b)
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_grpquota
  - no_reboot_needed

- name: 'Add grpquota Option to /home: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
    in ["docker", "lxc", "openvz", "podman", "container"] ) )
  - '"/home" in ansible_mounts | map(attribute="mount") | list'
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-86039-5
  - NIST-800-53-CM-6(b)
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_grpquota
  - no_reboot_needed

- name: 'Add grpquota Option to /home: If /home not mounted, craft mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /home
    - ''
    - ''
    - defaults
  when:
  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
    in ["docker", "lxc", "openvz", "podman", "container"] ) )
  - '"/home" in ansible_mounts | map(attribute="mount") | list'
  - ("--fstab" | length == 0)
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length == 0)
  tags:
  - CCE-86039-5
  - NIST-800-53-CM-6(b)
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_grpquota
  - no_reboot_needed

- name: 'Add grpquota Option to /home: Make sure grpquota option is part of the to
    /home options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',grpquota''
      }) }}'
  when:
  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
    in ["docker", "lxc", "openvz", "podman", "container"] ) )
  - '"/home" in ansible_mounts | map(attribute="mount") | list'
  - mount_info is defined and "grpquota" not in mount_info.options
  tags:
  - CCE-86039-5
  - NIST-800-53-CM-6(b)
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_grpquota
  - no_reboot_needed

- name: 'Add grpquota Option to /home: Ensure /home is mounted with grpquota option'
  mount:
    path: /home
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
    in ["docker", "lxc", "openvz", "podman", "container"] ) )
  - '"/home" in ansible_mounts | map(attribute="mount") | list'
  - mount_info is defined
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-86039-5
  - NIST-800-53-CM-6(b)
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_home_grpquota
  - no_reboot_needed

Add grpquota Option to /home

Description

Rationale

Remediation Templates

A Shell Script

Anaconda Pre-Install Instructions

An Ansible Snippet