From 9234f3c0bc6d6dc50de9351557e2c268fa16186d Mon Sep 17 00:00:00 2001 From: David Bajzath Date: Fri, 22 Nov 2024 13:57:36 +0100 Subject: [PATCH] CB-27820 Loopback filesystem mounted with noexec as /tmp Moved /tmp loopback filesystem creation to provision time to save space. --- .../base/salt/prerequisites/usr/bin/user-data-helper.sh | 8 +++++++- saltstack/final/salt/cis-controls/common.sls | 9 +++++++++ saltstack/final/salt/cis-controls/redhat8.sls | 8 ++------ saltstack/final/salt/cis-controls/scripts/cis_control.sh | 2 -- 4 files changed, 18 insertions(+), 9 deletions(-) diff --git a/saltstack/base/salt/prerequisites/usr/bin/user-data-helper.sh b/saltstack/base/salt/prerequisites/usr/bin/user-data-helper.sh index acb2fedb..c739aa5b 100755 --- a/saltstack/base/salt/prerequisites/usr/bin/user-data-helper.sh +++ b/saltstack/base/salt/prerequisites/usr/bin/user-data-helper.sh @@ -227,7 +227,7 @@ create_saltapi_certificates() { } resize_partitions() { - if [ $CLOUD_PLATFORM == "AZURE" ] && ([ $OS == "redhat7" ] || [ $OS == "redhat8" ]); then + if [ $CLOUD_PLATFORM == "AZURE" ]; then if [ $OS == "redhat7" ]; then # Relocating backup data structures to the end of the disk printf "x\ne\nw\nY\n" | gdisk /dev/sda @@ -255,6 +255,12 @@ resize_partitions() { # Extend root logical volume to remaining free space lvextend -l +100%free -r /dev/mapper/rootvg-rootlv fi + else + # create and mount loopback filesystem for /tmp with same size as Azure logical volume + dd if=/dev/zero of=/var/tmpfs bs=1M count=12288 + yes | mkfs.ext4 /var/tmpfs + echo "/var/tmpfs /tmp ext4 mode=1777,strictatime,nosuid,nodev,noexec 0 0" >> /etc/fstab + mount -a fi } diff --git a/saltstack/final/salt/cis-controls/common.sls b/saltstack/final/salt/cis-controls/common.sls index 757646a3..f084d6a6 100644 --- a/saltstack/final/salt/cis-controls/common.sls +++ b/saltstack/final/salt/cis-controls/common.sls @@ -199,3 +199,12 @@ remove_unnecessary_whitespaces_from_yum_repo_files: cmd.run: - name: find /etc/yum.repos.d -type f -exec sed -i 's/ = /=/g' {} \; - onlyif: ls -la /etc/yum.repos.d/ + +{% if cloud_provider == 'GCP' %} +# default location is /tmp which has noexec mount option +set_gcp_startup_script_location: + file.replace: + - name: /etc/default/instance_configs.cfg + - pattern: '^run_dir =' + - repl: 'run_dir = /root' +{% endif %} diff --git a/saltstack/final/salt/cis-controls/redhat8.sls b/saltstack/final/salt/cis-controls/redhat8.sls index e96af0dd..d150a182 100644 --- a/saltstack/final/salt/cis-controls/redhat8.sls +++ b/saltstack/final/salt/cis-controls/redhat8.sls @@ -82,7 +82,7 @@ deny_nobody: add_cis_control_sh: file.managed: - - name: /tmp/cis_control.sh + - name: /opt/provision-scripts/cis_control.sh - makedirs: True - mode: 755 - source: salt://cis-controls/scripts/cis_control.sh @@ -97,12 +97,8 @@ add_hardening_playbooks: execute_cis_control_sh: cmd.run: - - name: /tmp/cis_control.sh + - name: /opt/provision-scripts/cis_control.sh - env: - IMAGE_BASE_NAME: {{ salt['environ.get']('IMAGE_BASE_NAME') }} - CLOUD_PROVIDER: {{ salt['environ.get']('CLOUD_PROVIDER') }} - STIG_ENABLED: {{ salt['environ.get']('STIG_ENABLED') }} - -remove_cis_control_sh: - file.absent: - - name: /tmp/cis_control.sh \ No newline at end of file diff --git a/saltstack/final/salt/cis-controls/scripts/cis_control.sh b/saltstack/final/salt/cis-controls/scripts/cis_control.sh index cb965bad..9cafb346 100755 --- a/saltstack/final/salt/cis-controls/scripts/cis_control.sh +++ b/saltstack/final/salt/cis-controls/scripts/cis_control.sh @@ -38,8 +38,6 @@ if [ "${CLOUD_PROVIDER}" == "Azure" ]; then if [ "${STIG_ENABLED}" != "True" ]; then SKIP_TAGS+=",kernel_module_udf_disabled" fi - # Temporarily disable tmp noexec as CM fails to start REGIONSERVER. Can be removed when CM side fix is done by OPSAPS-68448 - SKIP_TAGS+=",mount_option_tmp_noexec" fi #Install and download what we need for the hardening