-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.14.z
-
None
-
Moderate
-
None
-
False
-
-
Description of problem:
According to the "CIS Red Hat EnterpriseLinux 9 Benchmark" in chapter "1.1.2.1.4 Ensure noexec option set on /tmp partition (Automated)" /tmp should be mounted with the noexec mount option. While there seems to be no rule in the CIS profiles for OCP, there is rule `rhcos4-mount-option-tmp-noexec` which can be included via a tailoredProfile. While this works and after the initial run it shows NON-Compliant, it even does so after a mitigation (set noexec mount for /tmp) has been put in place
Version-Release number of selected component (if applicable):
- OCP 4.14.36 - compliance-operator.v1.6.0
How reproducible:
Install OCP 4.14.16 and compliance-operator.v1.6.0, configure a tailored profile including `rhcos4-mount-option-tmp-noexec`, run scan and get NON-COMPLIANT, apply a mitigation to get /tmp mounted w/ noexec and run scan again which still fails
Steps to Reproduce:
1. Install OCP 4.14.16 and compliance-operator.v1.6.0
2. create a tailored profile, e.g.:
~~~
cat << EOF |oc create -f -
apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
name: daniels-custom-tmp-noexec
annotations:
compliance.openshift.io/product-type: Node
spec:
description: My custom profile for tmp-noexec
title: Custom profile tmp-noexec
enableRules:
- name: rhcos4-mount-option-tmp-noexec
rationale: We really need to enable this
EOF
~~~
3. create ScanSettingBinding
~~~
cat << EOF |oc create -f -
apiVersion: compliance.openshift.io/v1alpha1
kind: ScanSettingBinding
metadata:
name: daniels-scansettingbinding
profiles:
- apiGroup: compliance.openshift.io/v1alpha1
kind: TailoredProfile
name: daniels-custom-tmp-noexec
settingsRef:
apiGroup: compliance.openshift.io/v1alpha1
kind: ScanSetting
name: default
EOF
~~~
4. wait for result
~~~
$ oc get compliancescan
NAME PHASE RESULT
daniels-custom-tmp-noexec-master DONE NON-COMPLIANT
~~~
5. Create the following mitigation:
~~~
$ cat 99-tmp-noexec-master.bu
variant: openshift
version: 4.14.0
metadata:
name: 99-tmp-noexec-master
labels:
machineconfiguration.openshift.io/role: master
storage:
files:
- path: /etc/systemd/system/tmp.mount
mode: 0644
overwrite: true
contents:
inline: |
# SPDX-License-Identifier: LGPL-2.1-or-later
#
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description=Temporary Directory /tmp
Documentation=https://systemd.io/TEMPORARY_DIRECTORIES
Documentation=man:file-hierarchy(7)
Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
ConditionPathIsSymbolicLink=!/tmp
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target
[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev,noexec,size=50%%,nr_inodes=1m
# Make 'systemctl enable tmp.mount' work:
[Install]
WantedBy=local-fs.target
~~~
6. butane 99-tmp-noexec-master.bu > 99-tmp-noexec-master.yaml
7. oc create -f 99-tmp-noexec-master.yaml
8. Wait system to reboot and check /tmp
~~~
$ ssh -q core@sno sudo mount | grep '\s/tmp\s'
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,seclabel,size=297138108k,nr_inodes=1048576,inode64)
^^^^^^
$
~~~
9. rerun and check:
~~~
$ oc -n openshift-compliance annotate compliancescans/daniels-custom-tmp-noexec-master compliance.openshift.io/rescan=
$
$ oc get compliancescan -w
NAME PHASE RESULT
daniels-custom-tmp-noexec-master RUNNING NOT-AVAILABLE
daniels-custom-tmp-noexec-master AGGREGATING NOT-AVAILABLE
daniels-custom-tmp-noexec-master AGGREGATING NOT-AVAILABLE
daniels-custom-tmp-noexec-master DONE NON-COMPLIANT
~~~
Actual results:
Check shows NON-COMPLIANT
Expected results:
Check shows COMPLIANT after the mitigation (i.e. /tmp is mounted with noexec)
Additional info:
