CCE-55030-1Platform: cpe:/o:redhat:enterprise_linux:8 | Date: (C)2024-01-08 (M)2024-01-08 |
Title:
Ensure usrquota option set on /home partition
Description:
The usrquota mount option allows for the filesystem to have disk quotas configured.
Rationale:
To ensure the availability of disk space on /home , it is important to limit the impact a single
user or group can cause for other users (or the wider system) by accidentally filling up the
partition. Quotas can also be applied to inodes for filesystems where inode exhaustion is a
concern.
Audit:
Verify that the usrquota option is set for the /home mount, that quotas is enabled and
configured.
Run the following command to verify that the usrquota mount option is set.
Example:
# findmnt --kernel /home | grep usrquota
/home /dev/sdb ext4 rw,quota,usrquota,grpquota,nodev,relatime,seclabel
Run the following command to verify that the user quotas are enabled.
# quotaon -p /home | grep user
user quota on /home (/dev/sdb) is on
Remediation:
Edit the /etc/fstab file and add usrquota to the fourth field (mounting options) for the
/home partition.
Example:
<device> /home <fstype> defaults,rw,usrquota,grpquota,nodev,relatime
0 0
Run the following command to remount /home with the configured options:
# mount -o remount /home
Create the quota database. This example will ignore any existing quot a files.
# quotacheck -cugv /home
quotacheck: Your kernel probably supports journaled quota but you are not
using it. Consider switching to journaled quota to avoid running quotacheck
after an unclean shutdown.
quotacheck: Scanning /dev/sdb [/home] done
quotacheck: Cannot stat old user quota file /home/aquota.user: No such file
or directory. Usage will not be subtracted.
quotacheck: Cannot stat old group quota file /home/aquota.group: No such file
or directory. Usage will not be subtracted.
quotacheck: Can not stat old user quota file /home/aquota.user: No such file
or directory. Usage will not be subtracted.
quotacheck: Cannot stat old group quota file /home/aquota.group: No such file
or directory. Usage will not be subtracted.
quotacheck: Checked 8 directories and 0 files
quotacheck: Old file not found.
quotacheck: Old file not found.
Restore SELinux context on the quota database files. Order of operations is important as
quotaon will set the immutable attribute on the files and thus restorecon will fail.
# restorecon /home/aquota.user
Enable quotas on the partition:
# quotaon -vug /home
/dev/sdb [/home]: group quotas turned on
/dev/sdb [/home]: user quotas turned on
Parameter:
[Yes/No]
Technical Mechanism:
Remediation:
Edit the /etc/fstab file and add usrquota to the fourth field (mounting options) for the
/home partition.
Example:
<device> /home <fstype> defaults,rw,usrquota,grpquota,nodev,relatime
0 0
Run the following command to remount /home with the configured options:
# mount -o remount /home
Create the quota database. This example will ignore any existing quot a files.
# quotacheck -cugv /home
quotacheck: Your kernel probably supports journaled quota but you are not
using it. Consider switching to journaled quota to avoid running quotacheck
after an unclean shutdown.
quotacheck: Scanning /dev/sdb [/home] done
quotacheck: Cannot stat old user quota file /home/aquota.user: No such file
or directory. Usage will not be subtracted.
quotacheck: Cannot stat old group quota file /home/aquota.group: No such file
or directory. Usage will not be subtracted.
quotacheck: Can not stat old user quota file /home/aquota.user: No such file
or directory. Usage will not be subtracted.
quotacheck: Cannot stat old group quota file /home/aquota.group: No such file
or directory. Usage will not be subtracted.
quotacheck: Checked 8 directories and 0 files
quotacheck: Old file not found.
quotacheck: Old file not found.
Restore SELinux context on the quota database files. Order of operations is important as
quotaon will set the immutable attribute on the files and thus restorecon will fail.
# restorecon /home/aquota.user
Enable quotas on the partition:
# quotaon -vug /home
/dev/sdb [/home]: group quotas turned on
/dev/sdb [/home]: user quotas turned on
CCSS Severity: | CCSS Metrics: |
CCSS Score : 5.5 | Attack Vector: LOCAL |
Exploit Score: 1.8 | Attack Complexity: LOW |
Impact Score: 3.6 | Privileges Required: LOW |
Severity: MEDIUM | User Interaction: NONE |
Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | Scope: UNCHANGED |
| Confidentiality: NONE |
| Integrity: NONE |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:96239 |