feat(os-14) add rule to check noexec, nosuid and nodev mount options

Setting the `noexec`, `nosuid` and `nodev` mount options for mount points where those features are not required, limits possible attack vectors. Closes: dev-sec#163 Signed-off-by: Claudius Heine <[email protected]>
siemens · Oct 26, 2021 · 88c9f6b · 88c9f6b
1 parent e503f97
commit 88c9f6b
Showing 1 changed file with 64 additions and 0 deletions.
diff --git a/controls/os_spec.rb b/controls/os_spec.rb
@@ -41,6 +41,39 @@
 
 cpuvulndir = '/sys/devices/system/cpu/vulnerabilities/'
 
+mount_noexec_blacklist = attribute(
+  'noexec_blacklist',
+  value: '/boot:/dev:/dev/shm:/tmp:/var/log:/var/log/audit:/var/tmp:/media:/run/mount',
+  description: 'Colon separated list of paths where \'noexec\' mount option shoud be set'
+)
+mount_noexec_whitelist = attribute(
+  'noexec_whitelist',
+  value: '/bin:/sbin:/lib:/usr/bin:/usr/sbin:/usr/lib:/usr/libexec:/dev/hugepages',
+  description: 'Colon separated list of paths where \'noexec\' mount option is not possible'
+)
+
+mount_nosuid_blacklist = attribute(
+  'nosuid_blacklist',
+  value: '/boot:/dev:/dev/shm:/home:/run:/tmp:/var:/var/log:/var/log/audit:/var/tmp:/media:/run/mount',
+  description: 'Colon separated list of paths where \'nosuid\' mount option shoud be set'
+)
+mount_nosuid_whitelist = attribute(
+  'nosuid_whitelist',
+  value: '/bin:/sbin:/lib:/usr/bin:/usr/sbin:/usr/lib:/dev/hugepages',
+  description: 'Colon separated list of paths where \'nosuid\' mount option is not possible'
+)
+
+mount_nodev_blacklist = attribute(
+  'nodev_blacklist',
+  value: '/boot:/dev/shm:/home:/run:/tmp:/var:/var/log:/var/log/audit:/var/tmp:/media:/run/mount',
+  description: 'Colon separated list of paths where \'nodev\' mount option shoud be set'
+)
+mount_nodev_whitelist = attribute(
+  'nodev_whitelist',
+  value: '/dev:/dev/pts',
+  description: 'Colon separated list of paths where \'nodev\' mount option is not possible'
+)
+
 control 'os-01' do
   impact 1.0
   title 'Trusted hosts login'
@@ -282,3 +315,34 @@
     end
   end
 end
+
+control 'os-14' do
+  impact 1.0
+  title 'Check mount options (noexec, nodev, nosuid)'
+  desc 'Use the noexec, nodev and nosuid mount options to limit attack vectors via mount points'
+
+  inspec.backend.file('/proc/self/mountinfo').content.split("\n").each do |mnt_line|
+    mnt_point = mnt_line.split[4]
+
+    if mount_noexec_blacklist.split(':').any? { |s| mnt_point.start_with? s } &&
+       mount_noexec_whitelist.split(':').none? { |s| s.start_with? mnt_point }
+      describe mount(mnt_point) do
+        its('options') { should satisfy("not be set or include 'noexec'") { |v| v.nil? || v.include?('noexec') } }
+      end
+    end
+
+    if mount_nosuid_blacklist.split(':').any? { |s| mnt_point.start_with? s } &&
+       mount_nosuid_whitelist.split(':').none? { |s| s.start_with? mnt_point }
+      describe mount(mnt_point) do
+        its('options') { should satisfy("not be set or include 'nosuid'") { |v| v.nil? || v.include?('nosuid') } }
+      end
+    end
+
+    next unless mount_nodev_blacklist.split(':').any? { |s| mnt_point.start_with? s } &&
+                mount_nodev_whitelist.split(':').none? { |s| s.start_with? mnt_point }
+
+    describe mount(mnt_point) do
+      its('options') { should satisfy("not be or include 'nodev'") { |v| v.nil? || v.include?('nodev') } }
+    end
+  end
+end