Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CB-27820 Loopback filesystem mounted with noexec as /tmp #1093

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CB-27820 Loopback filesystem mounted with noexec as /tmp #1093

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion saltstack/base/salt/prerequisites/usr/bin/user-data-helper.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,7 +227,7 @@ create_saltapi_certificates() {
}

resize_partitions() {
if [ $CLOUD_PLATFORM == "AZURE" ] && ([ $OS == "redhat7" ] || [ $OS == "redhat8" ]); then
if [ $CLOUD_PLATFORM == "AZURE" ]; then
if [ $OS == "redhat7" ]; then
# Relocating backup data structures to the end of the disk
printf "x\ne\nw\nY\n" | gdisk /dev/sda
Expand Down Expand Up @@ -255,6 +255,12 @@ resize_partitions() {
# Extend root logical volume to remaining free space
lvextend -l +100%free -r /dev/mapper/rootvg-rootlv
fi
else
# create and mount loopback filesystem for /tmp with same size as Azure logical volume
dd if=/dev/zero of=/var/tmpfs bs=1M count=12288
yes | mkfs.ext4 /var/tmpfs
echo "/var/tmpfs /tmp ext4 mode=1777,strictatime,nosuid,nodev,noexec 0 0" >> /etc/fstab
mount -a
fi
}

Expand Down
9 changes: 9 additions & 0 deletions saltstack/final/salt/cis-controls/common.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,3 +199,12 @@ remove_unnecessary_whitespaces_from_yum_repo_files:
cmd.run:
- name: find /etc/yum.repos.d -type f -exec sed -i 's/ = /=/g' {} \;
- onlyif: ls -la /etc/yum.repos.d/

{% if cloud_provider == 'GCP' %}
# default location is /tmp which has noexec mount option
set_gcp_startup_script_location:
file.replace:
- name: /etc/default/instance_configs.cfg
- pattern: '^run_dir ='
- repl: 'run_dir = /root'
{% endif %}
8 changes: 2 additions & 6 deletions saltstack/final/salt/cis-controls/redhat8.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ deny_nobody:

add_cis_control_sh:
file.managed:
- name: /tmp/cis_control.sh
- name: /opt/provision-scripts/cis_control.sh
- makedirs: True
- mode: 755
- source: salt://cis-controls/scripts/cis_control.sh
Expand All @@ -97,12 +97,8 @@ add_hardening_playbooks:

execute_cis_control_sh:
cmd.run:
- name: /tmp/cis_control.sh
- name: /opt/provision-scripts/cis_control.sh
- env:
- IMAGE_BASE_NAME: {{ salt['environ.get']('IMAGE_BASE_NAME') }}
- CLOUD_PROVIDER: {{ salt['environ.get']('CLOUD_PROVIDER') }}
- STIG_ENABLED: {{ salt['environ.get']('STIG_ENABLED') }}

remove_cis_control_sh:
file.absent:
- name: /tmp/cis_control.sh
2 changes: 0 additions & 2 deletions saltstack/final/salt/cis-controls/scripts/cis_control.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,6 @@ if [ "${CLOUD_PROVIDER}" == "Azure" ]; then
if [ "${STIG_ENABLED}" != "True" ]; then
SKIP_TAGS+=",kernel_module_udf_disabled"
fi
# Temporarily disable tmp noexec as CM fails to start REGIONSERVER. Can be removed when CM side fix is done by OPSAPS-68448
SKIP_TAGS+=",mount_option_tmp_noexec"
fi

#Install and download what we need for the hardening
Expand Down