Profile Applicability:
• Level 1
Description:
/dev/shm is a temporary filesystem (tmpfs) that provides shared memory support for processes. Mounting /dev/shm on a separate partition isolates it from the root filesystem, improving security and stability.
Rationale:
Having /dev/shm on a separate partition limits the risk of denial-of-service attacks that fill shared memory, prevents interference with other filesystem operations, and allows applying mount options such as nodev, nosuid, and noexec to enhance security.
Impact:
Pros:
Isolates shared memory filesystem from root partition.
Enables application of stricter mount options to prevent device files, setuid binaries, or execution in shared memory.
Helps protect against attacks targeting shared memory.
Cons:
Requires additional configuration and partitioning.
Misconfiguration could affect system or application stability.
Default Value:
On many systems, /dev/shm is mounted as a tmpfs but not necessarily as a separate partition.
Pre-requisites:
Root or sudo privileges to modify /etc/fstab and remount filesystems.
Remediation:
Test Plan:
Using Linux command line:
Check current mount points for /dev/shm:
mount | grep /dev/shm
Verify /dev/shm is mounted on a separate partition or tmpfs:
findmnt /dev/shm
Check /etc/fstab for /dev/shm entry:
grep /dev/shm /etc/fstab
Expected output: /dev/shm should be listed as a separate mount with appropriate options.
Implementation Plan:
Using Linux command line:
- Add or edit /etc/fstab to mount /dev/shm as a tmpfs with secure options, for example:
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
Remount /dev/shm without reboot:
mount -o remount /dev/shm
Verify mount options:
mount | grep /dev/shm
Backout Plan:
Using Linux command line:
Remove or comment out /dev/shm entry in /etc/fstab.
Remount /dev/shm:
mount -o remount /dev/shm
Verify /dev/shm mount status.
References:
CIS Amazon Linux 2 Benchmark v3.0.0