1.1.7.5 Ensure grpquota option set on /home partition

Information

The grpquota mount option allows for the filesystem to have disk quotas configured.

To ensure the availability of disk space on /home it is important to limit the impact a single user or group can cause for other users (or the wider system) by accidentally filling up the partition. Quotas can also be applied to inodes for filesystems where inode exhaustion is a concern.

Solution

Edit the /etc/fstab file and add grpquota to the fourth field (mounting options) for the /home partition.

Example:

<device> /home <fstype> defaults,rw,usrquota,grpquota,nodev,relatime 0 0

Run the following command to remount /home with the configured options:

# mount -o remount /home

Create the quota database. This example will ignore any existing quota files.

# quotacheck -cugv /home

quotacheck: Your kernel probably supports journaled quota but you are not using it. Consider switching to journaled quota to avoid running quotacheck after an unclean shutdown.
quotacheck: Scanning /dev/sdb [/home] done
quotacheck: Cannot stat old user quota file /home/aquota.user: No such file or directory. Usage will not be subtracted.
quotacheck: Cannot stat old group quota file /home/aquota.group: No such file or directory. Usage will not be subtracted.
quotacheck: Cannot stat old user quota file /home/aquota.user: No such file or directory. Usage will not be subtracted.
quotacheck: Cannot stat old group quota file /home/aquota.group: No such file or directory. Usage will not be subtracted.
quotacheck: Checked 8 directories and 0 files
quotacheck: Old file not found.
quotacheck: Old file not found.

Restore SELinux context on the quota database files. Order of operations is important as quotaon will set the immutable attribute on the files and thus restorecon will fail.

# restorecon /home/aquota.group

Enable quotas on the partition:

# quotaon -vug /home

/dev/sdb [/home]: group quotas turned on
/dev/sdb [/home]: user quotas turned on

See Also

https://workbench.cisecurity.org/files/3742

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: fc34f96994d2cf6b599df38e0aeb823cc25d44aad9213b68267b57bcd4570100