Profile Applicability:
• Level 1
Description:
The nodev mount option prevents device files from being interpreted on the mounted filesystem. Applying this option to /var/log/audit helps prevent the creation and use of device files that could be exploited for privilege escalation or unauthorized access.
Rationale:
Setting the nodev option on /var/log/audit reduces the risk of device file abuse, which can lead to compromise of audit logs or unauthorized system access.
Impact:
Pros:
Prevents device file exploitation on /var/log/audit.
Enhances overall system security posture.
Cons:
May interfere with legitimate device file operations if any exist in /var/log/audit (rare).
Default Value:
By default, the nodev option is often not set on /var/log/audit unless explicitly configured.
Pre-requisites:
Root or sudo privileges to modify /etc/fstab and remount filesystems.
/var/log/audit must be mounted as a separate partition.
Remediation:
Test Plan:
Using Linux command line:
Check current mount options for /var/log/audit:
mount | grep /var/log/audit
Verify if nodev is present in /etc/fstab for /var/log/audit:
grep /var/log/audit /etc/fstab
Expected output: Mount options for /var/log/audit include nodev.
Implementation Plan:
Using Linux command line:
- Edit /etc/fstab to add nodev to the mount options for /var/log/audit. Example:
/dev/<partition> /var/log/audit ext4 defaults,nodev,nosuid,noexec 0 0
Remount /var/log/audit with the new options without reboot:
mount -o remount,nodev /var/log/audit
Verify mount options:
mount | grep /var/log/audit
Backout Plan:
Using Linux command line:
Remove nodev from /var/log/audit mount options in /etc/fstab.
Remount /var/log/audit without nodev:
mount -o remount /var/log/audit
Verify mount options:
mount | grep /var/log/audit
References:
CIS Amazon Linux 2 Benchmark v3.0.0