CCE-55031-9Platform: cpe:/o:redhat:enterprise_linux:8 | Date: (C)2024-01-08 (M)2024-01-08 |
Title:
Ensure grpquota option set on /home partition
Description:
The grpquota mount option allows for the filesystem to have disk quotas configured.
Rationale:
To ensure the availability of disk space on /home , it is important to limit the impact a single
user or group can cause for other users (or the wider system) by accidentally filling up the
partition. Quotas can also be applied to inodes for filesystems where inode exhaustion is a
concern.
Audit:
Verify that the grpquota option is set for the /home mount, that quotas is enabled and
configured.
Run the following command to verify that the grpquota mount option is set.
Example:
# findmnt --kernel /home | grep grpquota
/home /dev/sdb ext4 rw,quota,usrquota,grpquota,nodev,relatime,seclabel
Run the following command to verify that the user quotas are enabled.
# quotaon -p /home | grep group
user quota on /home (/dev/sdb) is on
Remediation:
Edit the /etc/fstab file and add grpquota to the fourth field (mounting options) for the
/home partition.
Example:
<device> /home <fstype> defaults,rw,usrquota,grpquota,nodev,relatime
0 0
Run the following command to remount /home with the configured options:
# mount -o remount /home
Create the quota database. This example will ignore any existing quota files.
# quotacheck -cugv /home
quotacheck: Your kernel probably supports journaled quota but you are not
using it. Consider switching to journaled quota to avoid running quotacheck
after an unclean shutdown.
quotacheck: Scanning /dev/sdb [/home] done
quotacheck: Cannot stat old user quota file /home/aquota.user: No such file
or directory. Usage will not be subtracted.
quotacheck: Cannot stat old group quota file /home/aquota.group: No such file
or directory. Usage will not be subtracted.
quotacheck: Cannot stat old user quota file /home/aquota.user: No such file
or directory. Us age will not be subtracted.
quotacheck: Cannot stat old group quota file /home/aquota.group: No such file
or directory. Usage will not be subtracted.
quotacheck: Checked 8 directories and 0 files
quotacheck: Old file not found.
quotacheck: Old file not found.
Restore SELinux context on the quota database files. Order of operations is important as
quotaon will set the immutable attribute on the files and thus restorecon will fail.
# restorecon /home/aquota.group
Enable quotas on the partition:
# quotaon -vug /home
/dev/sdb [/home]: group quotas turned on
/dev/sdb [/home]: user quotas turned on
Parameter:
[Yes/No]
Technical Mechanism:
Remediation:
Edit the /etc/fstab file and add grpquota to the fourth field (mounting options) for the
/home partition.
Example:
<device> /home <fstype> defaults,rw,usrquota,grpquota,nodev,relatime
0 0
Run the following command to remount /home with the configured options:
# mount -o remount /home
Create the quota database. This example will ignore any existing quota files.
# quotacheck -cugv /home
quotacheck: Your kernel probably supports journaled quota but you are not
using it. Consider switching to journaled quota to avoid running quotacheck
after an unclean shutdown.
quotacheck: Scanning /dev/sdb [/home] done
quotacheck: Cannot stat old user quota file /home/aquota.user: No such file
or directory. Usage will not be subtracted.
quotacheck: Cannot stat old group quota file /home/aquota.group: No such file
or directory. Usage will not be subtracted.
quotacheck: Cannot stat old user quota file /home/aquota.user: No such file
or directory. Us age will not be subtracted.
quotacheck: Cannot stat old group quota file /home/aquota.group: No such file
or directory. Usage will not be subtracted.
quotacheck: Checked 8 directories and 0 files
quotacheck: Old file not found.
quotacheck: Old file not found.
Restore SELinux context on the quota database files. Order of operations is important as
quotaon will set the immutable attribute on the files and thus restorecon will fail.
# restorecon /home/aquota.group
Enable quotas on the partition:
# quotaon -vug /home
/dev/sdb [/home]: group quotas turned on
/dev/sdb [/home]: user quotas turned on
CCSS Severity: | CCSS Metrics: |
CCSS Score : 5.5 | Attack Vector: LOCAL |
Exploit Score: 1.8 | Attack Complexity: LOW |
Impact Score: 3.6 | Privileges Required: LOW |
Severity: MEDIUM | User Interaction: NONE |
Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | Scope: UNCHANGED |
| Confidentiality: NONE |
| Integrity: NONE |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:96238 |