Customers have implemented the CIS benchmark for all Tanzu VMs and it has passed for all VMs except Harbor.

The benchmark failed with the title “Ensure noexec option set on /tmp partition".

Harbor tile vm with stemcell Ubuntu-Jammy-go_agent/1.1065 and above

When executing the command ‘mount | grep /tmp’ on the harbor-app virtual machine, it indicates the presence of a missing ‘noexec’ attribute for the /tmp mount point. 

harbor-app/######-#########-#########:~# mount | grep /tmp

/dev/sdb2 on /tmp type ext4 (rw,nosuid,nodev,relatime)

/dev/sdb2 on /var*/tmp* type ext4 (rw,nosuid,nodev,noexec,relatime)

As a registry service, Harbor relies on the /tmp directory for execution purposes, it is expected behaviour with Harbor.

nosuid: Even if a malicious binary is placed in /tmp, it cannot be executed with higher privileges (like root) regardless of its owner. This prevents the most common form of privilege escalation.

nodev: This prevents the system from interpreting character or block special devices in the /tmp filesystem, blocking attackers from creating "backdoors" to raw hardware or disk partitions.