Profile Applicability:
• Level 1
Description:
The nodev mount option prevents device files from being interpreted on the mounted filesystem. Applying this option to /dev/shm restricts the creation and use of device files in the shared memory filesystem.
Rationale:
Setting the nodev option on /dev/shm reduces the risk of device file exploitation, which can lead to privilege escalation or unauthorized access.
Impact:
Pros:
Prevents device file abuse on /dev/shm.
Helps mitigate potential privilege escalation vulnerabilities.
Cons:
May interfere with rare applications requiring device files on /dev/shm.
Default Value:
By default, nodev is often set on /dev/shm, but this should be verified and enforced.
Pre-requisites:
Root or sudo privileges to modify /etc/fstab and remount filesystems.
/dev/shm must be mounted as a separate tmpfs partition.
Remediation:
Test Plan:
Using Linux command line:
Check current mount options for /dev/shm:
mount | grep /dev/shm
Verify if nodev is included in /etc/fstab for /dev/shm:
grep /dev/shm /etc/fstab
Expected output: Mount options for /dev/shm include nodev.
Implementation Plan:
Using Linux command line:
- Edit /etc/fstab to add nodev to /dev/shm mount options. Example:
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
Remount /dev/shm with the new options without reboot:
mount -o remount,nodev /dev/shm
Verify mount options:
mount | grep /dev/shm
Backout Plan:
Using Linux command line:
Remove nodev from /dev/shm mount options in /etc/fstab.
Remount /dev/shm without nodev:
mount -o remount /dev/shm
Verify mount options:
mount | grep /dev/shm
References:
CIS Amazon Linux 2 Benchmark v3.0.0