From 13ce982de432cd9b2d717d453729ea06b652ebb5 Mon Sep 17 00:00:00 2001 From: samson Date: Fri, 9 Nov 2018 18:43:55 +0800 Subject: [PATCH] Modify description --- bin/hardening/2.26_home_nosuid.sh | 2 +- .../harbian_audit_Debian_9_Benchmark_v0.1.mkd | 27 +++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/bin/hardening/2.26_home_nosuid.sh b/bin/hardening/2.26_home_nosuid.sh index 0304cb5..2dc38d4 100755 --- a/bin/hardening/2.26_home_nosuid.sh +++ b/bin/hardening/2.26_home_nosuid.sh @@ -5,7 +5,7 @@ # # -# 2.10.1 Set nosuid option for /home filesystem/Partition (Scored) +# 2.26 Set nosuid option for /home filesystem/Partition (Scored) # Authors : Samson wen, Samson # diff --git a/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd b/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd index 757ece0..1796b11 100644 --- a/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd +++ b/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd @@ -1,5 +1,32 @@ # harbian audit Debian Linux 9 Benchmark +## 2.26 Set nosuid option for /home filesystem/Partition (scored) + +### Profile Applicability +Level 2 + +### Description +File systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed. + +### Rationale +The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + +### Aduit +Verify file systems that contain user home directories are mounted with the "nosuid" option. Find the file system(s) that contain the user home directories with the following command: +Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system. +``` +# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-4][0-9]{3}" +smithj:1001:/home/smithj +thomasr:1002:/home/thomasr +Check the file systems that are mounted at boot time with the following command: +``` +# more /etc/fstab +UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid 0 2 +``` + +### Remediation +Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories. + ## 5.7 Install screen (scored) ### Profile Applicability