Profile Applicability:
 • Level 1

Description:
 The nosuid mount option prevents the operation of set-user-identifier (setuid) and set-group-identifier (setgid) bits on executable files in the mounted filesystem. Applying this option to /var/log helps mitigate privilege escalation by disallowing setuid and setgid programs from running in the log directory.

Rationale:
 Setting the nosuid option on /var/log reduces the risk that malicious or unauthorized binaries within /var/log could be exploited for privilege escalation.

Impact:
 Pros:

  • Helps prevent privilege escalation attacks via setuid/setgid binaries in /var/log.

  • Improves overall system security.

Cons:

  • May affect applications relying on setuid/setgid binaries in /var/log (rare).

Default Value:
 The nosuid option is typically not set on /var/log unless explicitly configured.

Pre-requisites:

  • Root or sudo privileges to modify /etc/fstab and remount filesystems.

  • /var/log must be mounted as a separate partition.

Remediation:

Test Plan:

Using Linux command line:

  1. Check current mount options for /var/log:

     mount | grep /var/log

  2. Verify if nosuid is included in /etc/fstab for /var/log:

     grep /var/log /etc/fstab
    Expected output: Mount options for /var/log include nosuid.


Implementation Plan:

Using Linux command line:

  1. Edit /etc/fstab to add nosuid to /var/log mount options. Example:
    /dev/<partition>  /var/log  ext4  defaults,nodev,nosuid,noexec  0  0

  2. Remount /var/log with new options:

     mount -o remount,nosuid /var/log

  3. Verify mount options:

    mount | grep /var/log

Backout Plan:

Using Linux command line:

  1. Remove nosuid from /var/log mount options in /etc/fstab.

  2. Remount /var/log without nosuid:

     mount -o remount /var/log

  3. Verify mount options:

     mount | grep /var/log

References: