vfat module and lvm partitions

Question

vfat module and lvm partitions

Lejooohn opened this issue 4 years ago · 1 comments

Hi !

I'm trying to run this script :

bin/hardening/1.1.1.7_restrict_fat.sh --audit-all
1.1.1.7_restrict_fat      [INFO] Working on 1.1.1.7_restrict_fat
1.1.1.7_restrict_fat      [INFO] [DESCRIPTION] Limit mounting of FAT filesystems.
1.1.1.7_restrict_fat      [INFO] Checking Configuration
1.1.1.7_restrict_fat      [INFO] Performing audit
1.1.1.7_restrict_fat      [ KO ] CONFIG_VFAT_FS is enabled!
1.1.1.7_restrict_fat      [ KO ] Check Failed

And when i want to apply the recommanded modifications (i have status=enabled in the conf file) :

~/debian-cis # bin/hardening/1.1.1.7_restrict_fat.sh --apply
1.1.1.7_restrict_fat      [INFO] Working on 1.1.1.7_restrict_fat
1.1.1.7_restrict_fat      [INFO] [DESCRIPTION] Limit mounting of FAT filesystems.
1.1.1.7_restrict_fat      [INFO] Checking Configuration
1.1.1.7_restrict_fat      [INFO] Performing audit
1.1.1.7_restrict_fat      [ KO ] CONFIG_VFAT_FS is enabled!
1.1.1.7_restrict_fat      [INFO] Applying Hardening
1.1.1.7_restrict_fat      [WARN] I cannot fix CONFIG_VFAT_FS enabled, recompile your kernel please
1.1.1.7_restrict_fat      [ KO ] Check Failed

As you can see, the output show that the vfat FS is enable but it's not the case (according to the CIS test) :

~/debian-cis # rmmod vfat
rmmod: ERROR: Module vfat is not currently loaded

~/debian-cis # modprobe -n -v vfat | grep -E '(vfat|install)'
install /bin/true

~/debian-cis # lsmod | grep vfat
no output

~/debian-cis # grep -E -i '\svfat\s' /etc/fstab
no output

Did I make a mistake?

other thing about partition checks : all scripts from 1.1.2 to 1.1.18 are not compatible with lvm? for example :

~/debian-cis # bin/hardening/1.1.2_tmp_partition.sh --audit-all
1.1.2_tmp_partition       [INFO] Working on 1.1.2_tmp_partition
1.1.2_tmp_partition       [INFO] [DESCRIPTION] Ensure /tmp is configured (Scored)
1.1.2_tmp_partition       [INFO] Checking Configuration
1.1.2_tmp_partition       [INFO] Performing audit
1.1.2_tmp_partition       [INFO] Verifying that /tmp is a partition
1.1.2_tmp_partition       [ KO ] /tmp is not a partition
1.1.2_tmp_partition       [ KO ] Check Failed

but :

~/debian-cis # mount |grep /tmp
/dev/mapper/vgdebian-tmp on /tmp type xfs (rw,nosuid,nodev,noexec,relatime,attr2,inode64,noquota)
~/debian-cis # df -hT |grep "/tmp"
/dev/mapper/vgdebian-tmp     xfs        2,0G     35M  2,0G   2% /tmp

I got the same error for /var/log partition and i guess i will probably have the same if i had /home and /var/log/audit lvm partition.

Regards

Answer 1 · 2021-02-11T09:55:28.000Z

about restrict FAT, it's not easy to implement the same check than other legit FS because if you use UEFI boot you need FAT and it's allowed in CIS (I add todo about it and keep old implementation for moment)

about partition is complicated too, because actual method are file based and not aware on specific case (lvm, container, ...) this check should be enhanced in future (for my side in this case I disable it)