Profile Applicability:
• Level 1
Description:
The nodev mount option prevents device files from being interpreted on the mounted filesystem. Applying this option to /home helps prevent creation and use of device files by unprivileged users, reducing potential security risks.
Rationale:
Setting the nodev option on /home reduces the risk that malicious users create device files that can be exploited for privilege escalation or unauthorized access.
Impact:
Pros:
Prevents device file abuse on /home.
Enhances overall system security posture.
Cons:
Some applications may require device files on /home (rare).
Default Value:
By default, nodev is usually not set on /home unless explicitly configured.
Pre-requisites:
Root or sudo privileges to modify /etc/fstab and remount filesystems.
/home must be mounted as a separate partition
Remediation:
Test Plan:
Using Linux command line:
Check current mount options for /home:
mount | grep /home
Verify if nodev is included in /etc/fstab for /home:
grep /home /etc/fstab
Expected output: Mount options for /home include nodev.
Implementation Plan:
Using Linux command line:
- Edit /etc/fstab to add nodev to the /home mount options. For example:
/dev/<partition> /home ext4 defaults,nodev,nosuid,noexec 0 0
Remount /home with new options without reboot:
mount -o remount,nodev /home
Verify mount options:
mount | grep /home
Backout Plan:
Using Linux command line:
Remove nodev from /home mount options in /etc/fstab.
Remount /home without nodev:
mount -o remount /home
Verify mount options:
mount | grep /home
References:
CIS Amazon Linux 2 Benchmark v3.0.0