Landscape Client

CIS Can't exec /tmp/landscape-common.config.8br9ON when /tmp has noexec mount option

Bug #1877992 reported by Gábor Mészáros on 2020-05-11

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	Landscape Client	New	Undecided	Unassigned

Bug Description

In a cloud deployment, where the nodes are hardened with CIS scripts, landscape cannot execute it's initial installation DB configuration (update-security-db.sh) under /tmp, because following the CIS hardening recommendation that path has noexec bit set.

See original description

Gábor Mészáros (gabor.meszaros) on 2020-05-15

summary:

- CIS Can't exec /tmp/landscape-0common.config.8br9ON when /tmp has noexec
+ CIS Can't exec /tmp/landscape-common.config.8br9ON when /tmp has noexec
mount option

Gábor Mészáros (gabor.meszaros) on 2020-06-04

description:

updated

Revision history for this message

Steven LaCosse (motosteven) wrote on 2024-05-02:

Ran into this with security hardening rules, CIS or DISA has rules to disable exec for /tmp mount which script execution from landscape is ran in.

It would make sense to have an ability to define where scripts are ran via /etc/landscape/client.conf. So this would be feature request for that.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.