I don't recall, honestly. Removable partitions are called out in the CCI mappings: http://scap-securityguide.rhcloud.com/RHEL6/output/table-rhel6-srgmap.html
and the draft settings for the STIG: http://scap-securityguide.rhcloud.com/RHEL6/output/table-stig-rhel6.html On Thu, Jul 3, 2014 at 12:16 PM, Shawn Wells <[email protected]> wrote: > > On 7/3/14, 11:46 AM, Steve Grubb wrote: > > On Thursday, July 03, 2014 04:21:05 PM Stuart Green wrote: > > > One of the hardening parameters we use to stop execution of programs on > > certain partitions is noexec in fstab, this is a general C.I.S > requirement. > I believe the only requirement advising this in the > context of this list > is to do with Removable Media Partitions. > > Generally you would want anywhere a program can be compiled because the > directory is writable by anyone. For example, /tmp, /var/tmp, /dev/shm. > > > Right. We've content for removable partitions: > > https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/system/permissions/partitions.xml#L54#L74 > > /tmp: > > https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/system/permissions/partitions.xml#L110#L122 > > and /dev/shm: > > https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/system/permissions/partitions.xml#L153#L166 > > /var/tmp is bind mounted to /tmp, hence no callout for noexec: > > https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/system/permissions/partitions.xml#L182#L197 > > Interestingly, only /tmp is called out in the STIG (inherited from > common)... and I don't remember why the others aren't. Especially removable > partitions. > > Jeff? Dave? FSO? > > > > > I've noted myself that you can still execute bash scripts in these > > partitions by utilising /bin/sh (bash), in our environment /bin/sh is > set > to -rwxr-xr-x which I belive is an OOB setting, should this be > refined to > something more strict? > > Actually, you need to think about this a bit. The script is not executing, > its > being interpreted. The interpreter is executed. There is no way short of > patching all interpreters to look at the partition flags to decide if it > should > interpret the script based on its path. Even so, you can have commands passed > over stdin with cat and hide the location it comes from. > > So, I understand the concern but the reality is that its virtually impossible > to lock down. > > >
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
