iCompaas Support

Profile Applicability:
• Level 1

Description:
 The nodev mount option prevents device files from being interpreted on the mounted filesystem. Applying this option to /var helps prevent the creation and use of device files that could be exploited for privilege escalation or unauthorized access.

Rationale:
 Setting the nodev option on /var reduces the risk of device file abuse, which can lead to system compromise or privilege escalation attacks.

Impact:
 Pros:

• Prevents device file exploitation on /var.
  

• Improves overall system security posture.
  

Cons:

• May interfere with legitimate use of device files in /var (rare).
  

Default Value:
 By default, nodev is typically not set on /var unless explicitly configured.

Pre-requisites:

• Root or sudo privileges to modify /etc/fstab and remount filesystems.
  

• /var must be mounted as a separate partition.
  

Remediation:

Test Plan:

Using Linux command line:

1. Check current mount options for /var:
   

    mount | grep /var

2. Verify if nodev is included in /etc/fstab for /var:
   

    grep /var /etc/fstab

   Expected output: Mount options for /var include nodev.

Implementation Plan:

Using Linux command line:

1. Edit /etc/fstab to add nodev to /var mount options. Example:
   

   /dev/<partition>  /var  ext4  defaults,nodev,nosuid,noexec  0  0

2. Remount /var with new options without reboot:
   

    mount -o remount,nodev /var

3. Verify mount options:
   

    mount | grep /var

   
   

Backout Plan:

Using Linux command line:

1. Remove nodev from /var mount options in /etc/fstab.
   

2. Remount /var without nodev:
   

    mount -o remount /var

3. Verify mount options:
   

    mount | grep /var

References:

• CIS Amazon Linux 2 Benchmark v3.0.0
  

• NIST SP 800-53 Revision 5 - SC-7