Enable sle16 specific checks and remediations for mount_option_tmp_noexec

teacup-on-rockingchair · teacup-on-rockingchair · commit a8bb68c7f38b · 2026-03-08T23:48:49.000+02:00
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/ansible/sle16.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/ansible/sle16.yml
@@ -0,0 +1,28 @@
+# platform = SUSE Linux Enterprise 16
+# reboot = true
+# strategy = configure
+# complexity = low
+# disruption = low
+
+- name: '{{{ rule_title }}} - Check if noexec options is configured in /usr/lib/systemd/system/tmp.mount'
+  ansible.builtin.lineinfile:
+    path: /usr/lib/systemd/system/tmp.mount
+    regexp: ^[\s]*Options=[\s]*.*noexec.*$
+    state: absent
+  check_mode: true
+  register: noexec_match
+
+# if no match, collect current options and add noexec
+- name: '{{{ rule_title }}} - Collect previously configured options'
+  ansible.builtin.shell:
+    cmd: sed -n 's/^[\s]*Options=[\s]*\(.*\)$/\1/p' /usr/lib/systemd/system/tmp.mount
+  register: current_options
+  when:
+    - noexec_match is defined and noexec_match.found == 0
+
+
+- name: '{{{ rule_title }}} - Add noexec option to previously configured options'
+  ansible.builtin.shell:
+    cmd: sed -i "s/^Options=.*/Options={{ current_options.stdout }},noexec/g" /usr/lib/systemd/system/tmp.mount
+  when:
+    - noexec_match.found == 0 and current_options is defined
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/bash/sle16.sh b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/bash/sle16.sh
@@ -0,0 +1,23 @@
+# platform = SUSE Linux Enterprise 16
+# reboot = true
+# strategy = configure
+# complexity = low
+# disruption = low
+
+tmp_mount_file="/usr/lib/systemd/system/tmp.mount"
+
+# if already set, skip
+if grep -qE '^[\s]*Options=[\s]*.*noexec.*$' ${tmp_mount_file}; then
+    echo "noexec option already present, skipping remediation"
+    exit 0
+fi
+
+# no options set, add it
+if ! grep -qE '^[\s]*Options=[\s]*.*$' ${tmp_mount_file}; then
+    echo "Options=noexec" >> ${tmp_mount_file}
+else
+  # collect currently set options
+  current_options=$(sed -n 's/^[\s]*Options=[\s]*\(.*\)$/\1/p' ${tmp_mount_file})
+  # add noexec to current options and replace
+  sed -i "s/^Options=.*/Options=${current_options},noexec/g" ${tmp_mount_file}
+fi
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/oval/sle16.xml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/oval/sle16.xml
@@ -0,0 +1,18 @@
+<def-group>
+  <definition class="compliance" id="mount_option_tmp_noexec" version="1">
+    {{{ oval_metadata("ensure tmp.mount services has noexec option configured.") }}}
+    <criteria>
+        <criterion comment="check noexec is set in Options in /usr/lib/systemd/system/tmp.mount" test_ref="test_tmp_mount_noexec_option" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check noexec is set in Options in /usr/lib/systemd/system/tmp.mount" id="test_tmp_mount_noexec_option" version="1">
+    <ind:object object_ref="object_tmp_mount_noexec_option" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_tmp_mount_noexec_option" comment="Options has  noexec set in /usr/lib/systemd/system/tmp.mount" version="1">
+    <ind:filepath>/usr/lib/systemd/system/tmp.mount</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*Options=.*noexec.*$</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
