Harden tmp

[lbayerlein]

Add option to manage handling with /tmp directory. Its possible to mount a device to /tmp with hardened options. If there is no need to mount a disk, this function ensures permissions on /tmp directory.

If you need changes, tell me, please.

[rndmh3ro]

Hey @lbayerlein,

great to see you again! :)

And I very much like this PR. I'd also like to extend it to other mountpoints. Especially the ones we defined in our linux-baseline (https://github.com/dev-sec/linux-baseline/pull/164/files):

# Overview of necessary mount options to be checked:
#
#---------------------------------------------------------
#   Mount point              nodev  noexec  nosuid
#   /boot                      v      v       v
#   /dev                              v       v
#   /dev/shm                   v      v       v
#   /home                      v              v
#   /run                       v              v
#   /tmp                       v      v       v
#   /var                       v              v
#   /var/log                   v      v       v
#   /var/log/audit             v      v       v
#   /var/tmp                   v      v       v
#---------------------------------------------------------

I'm thinking about how to do this in the best way. We could probably duplicate the variables from this PR for all other mountpoints.. Or maybe some kind of list?

mounts:
  - tmp:
      enabled: true
      src: ...
      mode: ...
  - var_tmp:
      enabled: false
      src: ...
      mode: ... 

I don't know what the best way is. What do you think?

All mounts should be opt-in with secure values pre-defined (as above).

[lbayerlein]

Hey @rndmh3ro ,

proud to commit to this project and work with you 👍

Is it ok for you to do this in a new PR? There is more logic to implement and I would like to give tmp file hardening upstream. Afterwards I will extend it with iteration over multiple directories.

Can you tell, whats wrong with these checks? What I am doing wrong?

Thanks,
balu

[rndmh3ro]

The checks fail because of other reasons. We need to thix those some time. :)

The PR itself looks good to me. @schurzi, can you take a look, too?

[schurzi]

Looks good to me, just need to fix the minor wording issues and the mount task.

At first I was thinking about detecting if /tmp is a mountpoint and then do our stuff., but I also like your solution.

The alternative is using the Ansible supplied facts to detect if a /tmp mountpoint is present and then set the options from our hardening and get the device from Ansible facts.

This should be all we need (data from facter):

mountpoints => {
...
  /tmp => {
...
    device => "/dev/mapper/vg_system-lv_tmp",
    filesystem => "xfs",
...
  },

@rndmh3ro what do you think? This might be a bit more complicated but it would work automatically and we would need some fewer variables. But it could also interfere with other things trying to manage mountpoints.

[rndmh3ro]

@rndmh3ro what do you think? This might be a bit more complicated but it would work automatically and we would need some fewer variables. But it could also interfere with other things trying to manage mountpoints.

I like it the way it currently is. No need to do any magic.

[schurzi]

I'm almost good now. Sorry ;)

When the task order is fixed this can be merged from my point of view.

[lbayerlein]

@rndmh3ro Is there something I can do? Can we merge?
I would like to commit new PRs for all other mountdirs discussed at the beginning of this PR.

[rndmh3ro]

@lbayerlein I'll take a look tomorrow!

[schurzi]

@lbayerlein could you reverse the order of the mount tasks? The way it is now, we write /etc/fstab before trying to remount the mountpoint. This way it is possible, we write invalid flags to /etc/fstab when the remount fails. If the order is reversed, we would fail at the remount and never persist a wrong config.

[lbayerlein]

@schurzi Sure I changed the order and moved remounting before managing /etc/fstab.

[schurzi]

@lbayerlein now there are 3 mount tasks, I think that is one to many :)

[lbayerlein]

@schurzi oh sorry copy paste error. Now there is one for remounting, one for permissions and one for managing fstab. I think this should work? :D