|
- # CIS 1.1.14 Ensure nodev option set on /dev/shm partition (Scored)
- #
- # Description
- # ===========
- # The nodev mount option specifies that the filesystem cannot contain special
- # devices.
- #
- # Rationale
- # =========
- # Since the /run/shm filesystem is not intended to support devices, set this
- # option to ensure that users cannot attempt to create special devices in
- # /dev/shm partitions.
- #
- # Audit
- # =====
- # Run the following command and verify that the nodev option is set on /dev/shm .
- #
- # # mount | grep /dev/shm
- # shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
- #
- # Remediation
- # ===========
- #
- # Edit the /etc/fstab file and add nodev to the fourth field (mounting options)
- # for the /dev/shm partition. See the fstab(5) manual page for more information.
- # Run the following command to remount /dev/shm :
- #
- # # mount -o remount,nodev /dev/shm
- #
- # CIS 1.1.15 Ensure nosuid option set on /dev/shm partition (Scored)
- #
- # Description
- # ===========
- # The nosuid mount option specifies that the filesystem cannot contain setuid
- # files.
- #
- # Rationale
- # =========
- # Setting this option on a file system prevents users from introducing
- # privileged programs onto the system and allowing non-root users to execute them.
- #
- # Audit
- # =====
- # Run the following command and verify that the no suid option is set on /dev/shm .
- #
- # # mount | grep /dev/shm
- # shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
- #
- # Remediation
- # ===========
- # Edit the /etc/fstab file and add nosuid to the fourth field (mounting options)
- # for the /dev/shm partition. See the fstab(5) manual page for more information.
- # Run the following command to remount /dev/shm :
- #
- # # mount -o remount,nosuid /dev/shm
- #
- # 1.1.16 Ensure noexec option set on /dev/shm partition (Scored)
- #
- # Description
- # ===========
- # The noexec mount option specifies that the filesystem cannot contain
- # executable binaries.
- #
- # Rationale
- # =========
- # Setting this option on a file system prevents users from executing programs
- # from shared memory. This deters users from introducing potentially malicious
- # software on the system.
- #
- # Audit
- # =====
- # Run the following command and verify that the noexec option is set on /run/shm .
- #
- # # mount | grep /dev/shm
- # shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
- #
- # Remediation
- # ===========
- # Edit the /etc/fstab file and add noexec to the fourth field (mounting options)
- # for the /dev/shm partition. See the fstab(5) manual page for more information.
- # Run the following command to remount /dev/shm :
- #
- # # mount -o remount,noexec /dev/shm
- #
- parameters:
- linux:
- storage:
- mount:
- ensure_dev_shm_mount_options:
- enabled: true
- file_system: tmpfs
- device: shm
- path: /dev/shm
- opts: rw,nosuid,nodev,noexec,relatime
|