Profile Applicability:
• Level 1
Description:
The nosuid mount option prevents the operation of set-user-identifier (setuid) and set-group-identifier (setgid) bits on executable files in the mounted filesystem. Applying this option to /var helps mitigate privilege escalation risks by disallowing setuid and setgid programs from running there.
Rationale:
Setting the nosuid option on /var reduces the risk that malicious or unauthorized binaries within /var could be exploited for privilege escalation.
Impact:
Pros:
Helps prevent privilege escalation attacks via setuid/setgid binaries in /var.
Improves overall system security.
Cons:
May affect applications relying on setuid/setgid binaries in /var (rare).
Default Value:
The nosuid option is typically not set on /var unless explicitly configured.
Pre-requisites:
Root or sudo privileges to modify /etc/fstab and remount filesystems.
/var must be mounted as a separate partition.
Remediation:
Test Plan:
Using Linux command line:
Check current mount options for /var:
mount | grep /var
Verify if nosuid is included in /etc/fstab for /var:
grep /var /etc/fstab
Expected output: Mount options for /var include nosuid.
Implementation Plan:
Using Linux command line:
- Edit /etc/fstab to add nosuid to /var mount options. For example:
/dev/<partition> /var ext4 defaults,nodev,nosuid,noexec 0 0
Remount /var with new options:
mount -o remount,nosuid /var
Verify mount options:
mount | grep /var
Backout Plan:
Using Linux command line:
Remove nosuid from /var mount options in /etc/fstab.
Remount /var without nosuid:
mount -o remount /var
Verify mount options:
mount | grep /var
References:
CIS Amazon Linux 2 Benchmark v3.0.0