Add grpquota Option to /home

Docs > Datadog Security > OOTB Rules > Add grpquota Option to /home

Classification:

compliance

Framework:

Control:

Description

The grpquota mount option allows for the filesystem to have disk quotas configured. Add the grpquota option to the fourth column of /etc/fstab for the line which controls mounting of /home.

Rationale

To ensure the availability of disk space on /home, it is important to limit the impact a single user or group can cause for other users (or the wider system) by intentionally or accidentally filling up the partition. Quotas can also be applied to inodes for filesystems where inode exhaustion is a concern.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform\_remediation {
 
 mount\_point\_match\_regexp="$(printf "[[:space:]]%s[[:space:]]" "/home")"

 grep "$mount\_point\_match\_regexp" -q /etc/fstab \
 || { echo "The mount point '/home' is not even in /etc/fstab, so we can't set up mount options" >&2;
 echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; }
 


 mount\_point\_match\_regexp="$(printf "[[:space:]]%s[[:space:]]" /home)"

 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
 if ! grep "$mount\_point\_match\_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous\_mount\_opts=$(grep "$mount\_point\_match\_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|grpquota)(,|$)//g;s/,$//")
 [ "$previous\_mount\_opts" ] && previous\_mount\_opts+=","
 echo " /home defaults,${previous\_mount\_opts}grpquota 0 0" >> /etc/fstab
 # If the mount\_opt option is not already in the mount point's /etc/fstab entry, add it
 elif ! grep "$mount\_point\_match\_regexp" /etc/fstab | grep "grpquota"; then
 previous\_mount\_opts=$(grep "$mount\_point\_match\_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount\_point\_match\_regexp}.\*${previous\_mount\_opts}\)|\1,grpquota|" /etc/fstab
 fi


 if mkdir -p "/home"; then
 if mountpoint -q "/home"; then
 mount -o remount --target "/home"
 fi
 fi
}

perform\_remediation

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: 'Add grpquota Option to /home: Check information associated to mountpoint'
 command: findmnt --fstab '/home'
 register: device\_name
 failed\_when: device\_name.rc > 1
 changed\_when: false
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-86039-5
 - NIST-800-53-CM-6(b)
 - configure\_strategy
 - high\_disruption
 - low\_complexity
 - medium\_severity
 - mount\_option\_home\_grpquota
 - no\_reboot\_needed

- name: 'Add grpquota Option to /home: Create mount\_info dictionary variable'
 set\_fact:
 mount\_info: '{{ mount\_info|default({})|combine({item.0: item.1}) }}'
 with\_together:
 - '{{ device\_name.stdout\_lines[0].split() | list | lower }}'
 - '{{ device\_name.stdout\_lines[1].split() | list }}'
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - device\_name.stdout is defined and device\_name.stdout\_lines is defined
 - (device\_name.stdout | length > 0)
 tags:
 - CCE-86039-5
 - NIST-800-53-CM-6(b)
 - configure\_strategy
 - high\_disruption
 - low\_complexity
 - medium\_severity
 - mount\_option\_home\_grpquota
 - no\_reboot\_needed

- name: 'Add grpquota Option to /home: If /home not mounted, craft mount\_info manually'
 set\_fact:
 mount\_info: '{{ mount\_info|default({})|combine({item.0: item.1}) }}'
 with\_together:
 - - target
 - source
 - fstype
 - options
 - - /home
 - ''
 - ''
 - defaults
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - ("--fstab" | length == 0)
 - (device\_name.stdout | length == 0)
 tags:
 - CCE-86039-5
 - NIST-800-53-CM-6(b)
 - configure\_strategy
 - high\_disruption
 - low\_complexity
 - medium\_severity
 - mount\_option\_home\_grpquota
 - no\_reboot\_needed

- name: 'Add grpquota Option to /home: Make sure grpquota option is part of the to
 /home options'
 set\_fact:
 mount\_info: '{{ mount\_info | combine( {''options'':''''~mount\_info.options~'',grpquota''
 }) }}'
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - mount\_info is defined and "grpquota" not in mount\_info.options
 tags:
 - CCE-86039-5
 - NIST-800-53-CM-6(b)
 - configure\_strategy
 - high\_disruption
 - low\_complexity
 - medium\_severity
 - mount\_option\_home\_grpquota
 - no\_reboot\_needed

- name: 'Add grpquota Option to /home: Ensure /home is mounted with grpquota option'
 mount:
 path: /home
 src: '{{ mount\_info.source }}'
 opts: '{{ mount\_info.options }}'
 state: mounted
 fstype: '{{ mount\_info.fstype }}'
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - (device\_name.stdout is defined and (device\_name.stdout | length > 0)) or ("--fstab"
 | length == 0)
 tags:
 - CCE-86039-5
 - NIST-800-53-CM-6(b)
 - configure\_strategy
 - high\_disruption
 - low\_complexity
 - medium\_severity
 - mount\_option\_home\_grpquota
 - no\_reboot\_needed

Warning

The quota options for XFS file systems can only be activated when mounting the partition. It is not possible to enable them by remounting an already mounted partition. Therefore, if the desired options were not defined before mounting the partition, dismount and mount it again to apply the quota options.