diff --git a/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md b/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md new file mode 100644 index 0000000000000000000000000000000000000000..2ee45d0a03c255f86de84adc880f960e87308295 --- /dev/null +++ b/benchmarks/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.md @@ -0,0 +1,63 @@ +# 1.51 确保udf文件系统的挂载被禁用 + +## 安全等级 + +- Level 1 + +## 描述 + +udf文件系统类型是用于实现ISO/IEC 13346和ECMA-167规范的通用磁盘格式。这是一种开放的供应商文件系统类型,用于在广泛的媒体上存储数据。该文件系统类型是必需的,以支持编写DVD和较新的光盘格式。 + +删除不需要的文件系统类型的支持可以减少系统的本地攻击面。如果不需要此文件系统类型,请禁用它。 + +## 修复建议 + +目标:确保udf文件系统的挂载被禁用。 + +1. 执行以下命令,在`/etc/modprobe.d/`目录中编辑或创建一个以`.conf`结尾的文件,并添加配置。 + +```bash +# echo "install udf /bin/false" >> /etc/modprobe.d/udf.conf +# echo "blacklist udf" >> /etc/modprobe.d/udf.conf +``` + +2. 运行以下命令以卸载udf模块。 + +```bash +# modprobe -r udf +``` + +## 扫描检测 + +运行以下命令并验证输出是否符合预期。 + +1. 模块将如何加载。 + + 运行如下命令,若输出为`install /bin/false`,则视为通过此项检查。 + +```bash +# modprobe -n -v udf | grep "^install" +install /bin/false +``` + +2. 模块当前是否已加载。 + + 运行如下命令,若输出为空,则视为通过此项检查。 + +```bash +# lsmod | grep udf + +``` + +3. 模块是否已列入黑名单。 + + 运行如下命令,若输出为`/etc/modprobe.d/udf.conf:blacklist udf`,则视为通过此项检查。 + +```bash +# grep -E "^blacklist[[:blank:]]*udf" /etc/modprobe.d/* +/etc/modprobe.d/udf.conf:blacklist udf +``` + +## 参考 + +- cis: \ No newline at end of file diff --git a/docs/summary-of-rules.md b/docs/summary-of-rules.md index e49b5237af6cd55f9fc0905e8bf84835f76fbf1c..b41fd9130ea4f31a8ccd4f5bf226acdd064efdce 100644 --- a/docs/summary-of-rules.md +++ b/docs/summary-of-rules.md @@ -50,6 +50,7 @@ | 1.48 | 1.48-restrict-the-terminals-that-can-be-managed-over-the-network.md | 1.48 对通过网络进行管理的终端进行限制 | benchmarks/access-and-control | 2 | | 1.49 | 1.49-lock-or-delete-the-shutdown-and-halt-users.md | 1.49 锁定或删除shutdown、halt用户 | benchmarks/access-and-control | 1 | | 1.50 | 1.50-ensure-ssh-x11-forwarding-is-disabled.md | 1.50 确保SSH X11转发功能被禁用 | benchmarks/access-and-control | 1 | +| 1.51 | 1.51-ensure-mounting-of-udf-filesystems-is-disabled.md | 1.51 确保udf文件系统的挂载被禁用 | benchmarks/access-and-control | 1 | | 2.1 | 2.1-ensure-audit-log-files-are-not-read-or-write-accessible-by-unauthorized-users.md | 2.1 确保审计日志的文件权限被正确配置 | benchmarks/logging-and-auditing | 1 | | 2.2 | 2.2-ensure-only-authorized-users-own-audit-log-files.md | 2.2 确保审计日志文件的所有者为已授权用户 | benchmarks/logging-and-auditing | 1 | | 2.3 | 2.3-ensure-only-authorized-groups-ownership-of-audit-log-files.md | 2.3 确保审计日志文件的所属组为已授权的用户组 | benchmarks/logging-and-auditing | 1 | diff --git a/remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh b/remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh new file mode 100644 index 0000000000000000000000000000000000000000..2211012279f80c5a0dd3911cc5618a1d3e493c12 --- /dev/null +++ b/remediation-kits/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh @@ -0,0 +1,3 @@ +echo "install udf /bin/false" >> /etc/modprobe.d/udf.conf +echo "blacklist udf" >> /etc/modprobe.d/udf.conf +modprobe -r udf diff --git a/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh b/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh new file mode 100644 index 0000000000000000000000000000000000000000..bd23f6e4a43d8d5771db9ef4cbe2b7895f0c24ad --- /dev/null +++ b/scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh @@ -0,0 +1,9 @@ +result=false + +modprobe -n -v udf | grep -q "^install" && test -z "$(lsmod | grep -e udf)" && grep -E -q "^blacklist[[:blank:]]*udf" /etc/modprobe.d/* && result=true + +if [ "$result" == true ]; then + echo "pass" +else + echo "fail" +fi