Mount Remote Filesystems with noexec

An XCCDF Rule

Description

Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Rationale

The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

ID: xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems
Severity: Medium
References: 12 13 14 15 16 18 3 5

APO01.06 DSS05.04 DSS05.07 DSS06.02

CCI-000366

4.3.3.7.3

SR 2.1 SR 5.2

A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5

AC-6 AC-6(10) AC-6(8) CM-6(a)

PR.AC-4 PR.DS-5

SRG-OS-000480-GPOS-00227

RHEL-08-010630

CCE-84050-4

SV-230306r1017116_rule
Updated: over 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-84050-4
  - DISA-STIG-RHEL-08-010630  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(10)
  - NIST-800-53-AC-6(8)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - mount_option_noexec_remote_filesystems
  - no_reboot_needed

- name: Get nfs and nfs4 mount points, that don't have noexec
  command: findmnt --fstab --types nfs,nfs4 -O nonoexec -n -P
  register: points_register
  check_mode: false
  changed_when: false
  failed_when: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-84050-4
  - DISA-STIG-RHEL-08-010630
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(10)
  - NIST-800-53-AC-6(8)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - mount_option_noexec_remote_filesystems
  - no_reboot_needed

- name: Add noexec to nfs and nfs4 mount points
  mount:
    path: '{{ item | regex_search(''TARGET="([^"]+)"'',''\1'') | first }}'
    src: '{{ item | regex_search(''SOURCE="([^"]+)"'',''\1'') | first }}'
    fstype: '{{ item | regex_search(''FSTYPE="([^"]+)"'',''\1'') | first }}'
    state: present
    opts: '{{ item | regex_search(''OPTIONS="([^"]+)"'',''\1'') | first }},noexec'
  when:
  - '"kernel" in ansible_facts.packages'
  - (points_register.stdout | length > 0) and '\\x09' not in item
  with_items: '{{ points_register.stdout_lines }}'
  tags:
  - CCE-84050-4
  - DISA-STIG-RHEL-08-010630
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(10)
  - NIST-800-53-AC-6(8)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - mount_option_noexec_remote_filesystems
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

vfstype_points=()
readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}')
for vfstype_point in "${vfstype_points[@]}"
do
    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" ${vfstype_point//\\/\\\\})"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
        fs_type="nfs4"
        if [  "$fs_type" == "iso9660" ] ; then
            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
        fi
        echo " ${vfstype_point//\\/\\\\} nfs4 defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
    fi
done

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Mount Remote Filesystems with noexec

Description

Rationale

Remediation - Ansible

Remediation - Shell Script