extended mount checks

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2026-06-01 02:20:27 +00:00 · 2022-05-17 12:28:04 +01:00
parent da094db553
commit 8a3573753e
6 changed files with 313 additions and 8 deletions
@@ -16,12 +16,53 @@ mount:
    meta:
      server: 1
      workstation: 1
-      CIS_ID: 
+      CIS_ID:
      - 1.1.3.3
      - 1.1.3.4
      CISv8: 3.3
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
+command:
+  {{ if .Vars.rhel9cis_rule_1_1_3_3 }}
+  noexec_var_fstab:
+     title: 1.1.3.3 | Ensure noexec option set on /var partition | fstab config
+     exec: grep '.*\/var\s.*noexec.*$' \/etc\/fstab
+     exit-status:
+       or:
+       - 0
+       - 1
+     stdout:
+     - '/.*\/var\s.*noexec.*$/'
+     meta:
+      server: 1
+      workstation: 1
+      CIS_ID:
+      - 1.1.3.3
+      CISv8: 3.3
+      CISv8_IG1: true
+      CISv8_IG2: true
+      CISv8_IG3: true
  {{ end }}
-{{ end }}
+  {{ if .Vars.rhel9cis_rule_1_1_3_4 }}
+  nosuid_var_tmp_fstab:
+     title: 1.1.3.4 | Ensure nosuid option set on /var partition | fstab config
+     exec: grep '.*\/var\s.*nosuid.*$' \/etc\/fstab
+     exit-status:
+       or:
+       - 0
+       - 1
+     stdout:
+     - '/.*\/var\s.*nosuid.*$/'
+     meta:
+      server: 1
+      workstation: 1
+      CIS_ID:
+      - 1.1.3.4
+      CISv8: 3.3
+      CISv8_IG1: true
+      CISv8_IG2: true
+      CISv8_IG3: true
+  {{ end }}
+  {{ end }}
+{{ end }}
@@ -16,12 +16,53 @@ mount:
    meta:
      server: 1
      workstation: 1
-      CIS_ID: 
+      CIS_ID:
      - 1.1.4.3
      - 1.1.4.4
      CISv8: 3.3
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
+command:
+  {{ if .Vars.rhel9cis_rule_1_1_4_3 }}
+  noexec_var_tmp_fstab:
+     title: 1.1.4.3 | Ensure noexec option set on /var/tmp partition | fstab config
+     exec: grep '.*\/var\/tmp\s.*noexec.*$' \/etc\/fstab
+     exit-status:
+       or:
+       - 0
+       - 1
+     stdout:
+     - '/.*\/var\/tmp\s.*noexec.*$/'
+     meta:
+       server: 1
+       workstation: 1
+       CIS_ID:
+       - 1.1.4.3
+       CISv8: 3.3
+       CISv8_IG1: true
+       CISv8_IG2: true
+       CISv8_IG3: true
+  {{ end }}
+  {{ if .Vars.rhel9cis_rule_1_1_4_4 }}
+  nodev_var_tmp_fstab:
+     title: 1.1.4.4 | Ensure nodev option set on /var/tmp partition | fstab config
+     exec: grep '.*\/var\/tmp\s.*nodev.*$' \/etc\/fstab
+     exit-status:
+       or:
+       - 0
+       - 1
+     stdout:
+     - '/.*\/var\/tmp\s.*nodev.*$/'
+     meta:
+       server: 1
+       workstation: 1
+       CIS_ID:
+       - 1.1.4.4
+       CISv8: 3.3
+       CISv8_IG1: true
+       CISv8_IG2: true
+       CISv8_IG3: true
+  {{ end }}
  {{ end }}
 {{ end }}
@@ -28,5 +28,66 @@ mount:
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
+command:
+  {{ if .Vars.rhel9cis_rule_1_1_5_2 }}
+  nodev_var_log_fstab:
+     title: 1.1.5.2 | Ensure nodev option set on /var/log partition | fstab config
+     exec: grep '.*\/var\/log\s.*nodev.*$' \/etc\/fstab
+     exit-status:
+       or:
+       - 0
+       - 1
+     stdout:
+     - '/.*\/var\/log\s.*nodev.*$/'
+     meta:
+       server: 1
+       workstation: 1
+       CIS_ID:
+       - 1.1.5.2
+       CISv8: 3.3
+       CISv8_IG1: true
+       CISv8_IG2: true
+       CISv8_IG3: true
+  {{ end }}
+  {{ if .Vars.rhel9cis_rule_1_1_5_3 }}
+  noexec_var_log_fstab:
+     title: 1.1.5.3 | Ensure noexec option set on /var/log partition | fstab config
+     exec: grep '.*\/var\/log\s.*noexec.*$' \/etc\/fstab
+     exit-status:
+       or:
+       - 0
+       - 1
+     stdout:
+     - '/.*\/var\/log\s.*noexec.*$/'
+     meta:
+       server: 1
+       workstation: 1
+       CIS_ID:
+       - 1.1.5.3
+       CISv8: 3.3
+       CISv8_IG1: true
+       CISv8_IG2: true
+       CISv8_IG3: true
+  {{ end }}
+  {{ if .Vars.rhel9cis_rule_1_1_5_4 }}
+  nosuid_var_log_fstab:
+     title: 1.1.5.4 | Ensure nosuid option set on /var/log partition | fstab config
+     exec: grep '.*\/var\/log\s.*nosuid.*$' \/etc\/fstab
+     exit-status:
+       or:
+       - 0
+       - 1
+     stdout:
+     - '/.*\/var\/log\s.*nosuid.*$/'
+     meta:
+       server: 1
+       workstation: 1
+       CIS_ID:
+       - 1.1.5.4
+       CISv8: 3.3
+       CISv8_IG1: true
+       CISv8_IG2: true
+       CISv8_IG3: true
+  {{ end }}
  {{ end }}
 {{ end }}
@@ -21,12 +21,73 @@ mount:
      server: 1
      workstation: 1
      CIS_ID: 
-      - 1.1.5.2
-      - 1.1.5.3
-      - 1.1.5.4
+      - 1.1.6.2
+      - 1.1.6.3
+      - 1.1.6.4
      CISv8: 3.3
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
+command:
+  {{ if .Vars.rhel9cis_rule_1_1_6_2 }}
+  nodev_var_log_audit_fstab:
+     title: 1.1.6.2 | Ensure nodev option set on /var/log/audit partition | fstab config
+     exec: grep '.*\/var\/log\/audit\s.*nodev.*$' \/etc\/fstab
+     exit-status:
+       or:
+       - 0
+       - 1
+     stdout:
+     - '/.*\/var\/log\/audit\s.*nodev.*$/'
+     meta:
+       server: 1
+       workstation: 1
+       CIS_ID:
+       - 1.1.6.2
+       CISv8: 3.3
+       CISv8_IG1: true
+       CISv8_IG2: true
+       CISv8_IG3: true
+  {{ end }}
+  {{ if .Vars.rhel9cis_rule_1_1_6_3 }}
+  noexec_var_log_audit_fstab:
+     title: 1.1.6.3 | Ensure noexec option set on /var/log/audit partition | fstab config
+     exec: grep '.*\/var\/log\/audit\s.*noexec.*$' \/etc\/fstab
+     exit-status:
+       or:
+       - 0
+       - 1
+     stdout:
+     - '/.*\/var\/log\/audit\s.*noexec.*$/'
+     meta:
+       server: 1
+       workstation: 1
+       CIS_ID:
+       - 1.1.6.3
+       CISv8: 3.3
+       CISv8_IG1: true
+       CISv8_IG2: true
+       CISv8_IG3: true
+  {{ end }}
+  {{ if .Vars.rhel9cis_rule_1_1_6_4 }}
+  nosuid_var_log_audit_fstab:
+     title: 1.1.6.4 | Ensure nosuid option set on /var/log/audit partition | fstab config
+     exec: grep '.*\/var\/log\/audit\s.*nosuid.*$' \/etc\/fstab
+     exit-status:
+       or:
+       - 0
+       - 1
+     stdout:
+     - '/.*\/var\/log\/audit\s.*nosuid.*$/'
+     meta:
+       server: 1
+       workstation: 1
+       CIS_ID:
+       - 1.1.6.4
+       CISv8: 3.3
+       CISv8_IG1: true
+       CISv8_IG2: true
+       CISv8_IG3: true
+  {{ end }}
  {{ end }}
 {{ end }}
@@ -41,6 +41,46 @@ package:
      CISv8_IG2: true
      CISv8_IG3: true
 command:
+  {{ if .Vars.rhel9cis_rule_1_1_7_2 }}
+  nodev_home_fstab:
+     title: 1.1.7.2 | Ensure nodev option set on /home partition | fstab config
+     exec: grep '.*\home\s.*nodev.*$' \/etc\/fstab
+     exit-status:
+       or:
+       - 0
+       - 1
+     stdout:
+     - '/.*\/home\s.*nodev.*$/'
+     meta:
+       server: 1
+       workstation: 1
+       CIS_ID:
+       - 1.1.7.2
+       CISv8: 3.3
+       CISv8_IG1: true
+       CISv8_IG2: true
+       CISv8_IG3: true
+  {{ end }}
+  {{ if .Vars.rhel9cis_rule_1_1_7_3 }}
+  nosuid_home_fstab:
+     title: 1.1.7.3 | Ensure nosuid option set on /home partition | fstab config
+     exec: grep '.*\home\s.*nosuid.*$' \/etc\/fstab
+     exit-status:
+       or:
+       - 0
+       - 1
+     stdout:
+     - '/.*\/home\s.*nosuid.*$/'
+     meta:
+       server: 1
+       workstation: 1
+       CIS_ID:
+       - 1.1.7.3
+       CISv8: 3.3
+       CISv8_IG1: true
+       CISv8_IG2: true
+       CISv8_IG3: true
+  {{ end }}
  quota_enabled:
    title: |
      1.1.7.4 | Ensure usrquota option set on /home partition | quota enabled
@@ -61,8 +101,8 @@ command:
      CISv8_IG3: true
  home_quotas:
    title: |
-      1.1.7.4 | Ensure usrquota option set on /home partition
-      1.1.7.5 | Ensure grpquota option set on /home partition
+      1.1.7.4 | Ensure usrquota option set on /home partition | live mount
+      1.1.7.5 | Ensure grpquota option set on /home partition | live mount
    exec: mount -l | grep home
    exit-status: 0
    stdout:
@@ -28,4 +28,65 @@ mount:
      CISv8_IG1: true
      CISv8_IG2: true
      CISv8_IG3: true
+command:
+  {{ if .Vars.rhel9cis_rule_1_1_8_1 }}
+  nodev_var_log_audit_fstab:
+     title: 1.1.8.1 | Ensure nodev option set on /dev/shm partition | fstab config
+     exec: grep '.*\/dev\/shm\s.*nodev.*$' \/etc\/fstab
+     exit-status:
+       or:
+       - 0
+       - 1
+     stdout:
+     - '/.*\/dev\/shm\s.*nodev.*$/'
+     meta:
+       server: 1
+       workstation: 1
+       CIS_ID:
+       - 1.1.8.1
+       CISv8: 3.3
+       CISv8_IG1: true
+       CISv8_IG2: true
+       CISv8_IG3: true
+  {{ end }}
+  {{ if .Vars.rhel9cis_rule_1_1_8_2 }}
+  noexec_var_log_audit_fstab:
+     title: 1.1.8.2 | Ensure noexec option set on /dev/shm partition | fstab config
+     exec: grep '.*\/dev\/shm\s.*noexec.*$' \/etc\/fstab
+     exit-status:
+       or:
+       - 0
+       - 1
+     stdout:
+     - '/.*\/dev\/shm\s.*noexec.*$/'
+     meta:
+       server: 1
+       workstation: 1
+       CIS_ID:
+       - 1.1.8.2
+       CISv8: 3.3
+       CISv8_IG1: true
+       CISv8_IG2: true
+       CISv8_IG3: true
+  {{ end }}
+  {{ if .Vars.rhel9cis_rule_1_1_8_3 }}
+  nosuid_var_log_audit_fstab:
+     title: 1.1.8.3 | Ensure nosuid option set on /dev/shm partition | fstab config
+     exec: grep '.*\/dev\/shm\s.*nosuid.*$' \/etc\/fstab
+     exit-status:
+       or:
+       - 0
+       - 1
+     stdout:
+     - '/.*\/dev\/shm\s.*nosuid.*$/'
+     meta:
+       server: 1
+       workstation: 1
+       CIS_ID:
+       - 1.1.8.3
+       CISv8: 3.3
+       CISv8_IG1: true
+       CISv8_IG2: true
+       CISv8_IG3: true
+  {{ end }}
 {{ end }}