CIS Benchmark Fails - Filesystems

[Septum]

Hello! I have found that CentOS 7 fails the following CIS Benchmarks:

6000 - Ensure mounting of cramfs filesystems is disabled
6001 - Ensure mounting of squashfs filesystems is disabled
6002 - Ensure mounting of udf filesystems is disabled
6003 - Ensure mounting of FAT filesystems is disabled

Would it be possible to disable these mounts without affecting the functioning of the OS?

Thanks in advance!

[Septum]

Hello! I have found that CentOS 7 fails the following CIS benchmarks:

6008 - Ensure /dev/shm is configured
6009 - Ensure noexec option set on /dev/shm partition
6013 - Ensure separate partition exists for /var/tmp
6014 - Ensure noexec option set on /var/tmp partition
6015 - Ensure nodev option set on /var/tmp partition
6016 - Ensure nosuid option set on /var/tmp partition
6018 - Ensure separate partition exists for /var/log/audit
6019 - Ensure separate partition exists for /home
6020 - Ensure nodev option set on /home partition

Is it possible to configure these partitions, and set the appropriate security options, without impacting the OS's working?

Thanks in advance!

[TrevorH]

I merged both your posts together since they are effectively the same question.

Those are recommendations by the CIS script. You do not have to implement them. If you do then they may have side effects and things may stop working. It's up to you to test what will work with what you run and what will not. We cannot tell you since everyone's environment differs and the things you do will not be the same things that we do. Many of those are sensible recommendations but implementing them may still break things that do not expect them. For example, disabling mounting of FAT filesystems may have a knock-on effect since /boot/efi will be a FAT filesystem (so that the BIOS can read it).