Profile Applicability:
• Level 1
Description:
The nosuid mount option prevents the operation of set-user-identifier (setuid) and set-group-identifier (setgid) bits on executable files in the mounted filesystem. Applying this option to /home helps prevent privilege escalation by disallowing setuid and setgid programs from running in user directories.
Rationale:
Setting the nosuid option on /home reduces the risk that users or attackers could exploit setuid/setgid binaries within their home directories to gain elevated privileges.
Impact:
Pros:
Mitigates privilege escalation attacks via setuid/setgid binaries in /home.
Improves overall system security posture.
Cons:
May affect applications that require setuid/setgid binaries in /home (rare).
Default Value:
The nosuid option is typically not set on /home unless explicitly configured.
Pre-requisites:
Root or sudo privileges to modify /etc/fstab and remount filesystems.
/home must be mounted as a separate partition.
Remediation:
Test Plan:
Using Linux command line:
Check current mount options for /home:
mount | grep /home
Verify if nosuid is present in /etc/fstab for /home:
grep /home /etc/fstab
Expected output: Mount options for /home include nosuid.
Implementation Plan:
Using Linux command line:
- Edit /etc/fstab to add nosuid to the /home mount options. Example:
/dev/<partition> /home ext4 defaults,nodev,nosuid,noexec 0 0
Remount /home with new options:
mount -o remount,nosuid /home
Verify mount options:
mount | grep /home
Backout Plan:
Using Linux command line:
Remove nosuid from /home mount options in /etc/fstab.
Remount /home without nosuid:
mount -o remount /home
Verify mount options:
mount | grep /home
References:
CIS Amazon Linux 2 Benchmark v3.0.0