iCompaas Support

Profile Applicability:
 • Level 1

Description:
 The nodev mount option prevents device files from being interpreted on the mounted filesystem. Applying this option to /tmp protects the system by disallowing device files from being created or used in /tmp.

Rationale:
 Setting the nodev option on /tmp reduces the risk of device file abuse by attackers, which could lead to privilege escalation or unauthorized access.

Impact:
 Pros:

• Prevents creation and use of device files on /tmp.
  

• Helps mitigate privilege escalation attacks.
  

Cons:

• May interfere with applications that require device files in /tmp (rare).
  

Default Value:
 By default, the nodev option is usually not set on /tmp unless configured explicitly.

Pre-requisites:

• Root or sudo privileges to modify /etc/fstab and remount filesystems.
  

• /tmp must be mounted as a separate partition.
  

Remediation:

Test Plan:

Using Linux command line:

1. Check current mount options on /tmp:
   

    mount | grep /tmp

2. Verify if nodev option is present in /etc/fstab for /tmp:

    grep /tmp /etc/fstab

   Expected output: Mount options for /tmp include nodev.

Implementation Plan:

Using Linux command line:

1. Edit /etc/fstab to add nodev to /tmp mount options. Example:
   

   /dev/<partition>  /tmp  ext4  defaults,nodev,nosuid,noexec  0  0

   
   

2. Remount /tmp to apply the new option without reboot:
   

    mount -o remount,nodev /tmp

3. Verify mount options again:
   

   mount | grep /tmp

Backout Plan:

Using Linux command line:

1. Remove nodev from /tmp mount options in /etc/fstab.
   

2. Remount /tmp without nodev:
   

    mount -o remount /tmp

   
   

3. Verify mount options:
   

    mount | grep /tmp

References:

• CIS Amazon Linux 2 Benchmark v3.0.0
  

• NIST SP 800-53 Revision 5 - SC-7