Profile Applicability:
• Level 1
Description:
The nosuid mount option prevents the operation of set-user-identifier (setuid) and set-group-identifier (setgid) bits on executable files in the mounted filesystem. Applying this option to /var/log/audit helps mitigate privilege escalation risks by disallowing setuid and setgid programs from running in the audit log directory.
Rationale:
Setting the nosuid option on /var/log/audit reduces the risk that malicious binaries within the audit log partition could be used for privilege escalation.
Impact:
Pros:
Mitigates privilege escalation via setuid/setgid binaries in /var/log/audit.
Enhances overall system security.
Cons:
May interfere with legitimate setuid/setgid binaries in /var/log/audit (rare).
Default Value:
The nosuid option is typically not set on /var/log/audit unless explicitly configured.
Pre-requisites:
Root or sudo privileges to modify /etc/fstab and remount filesystems.
/var/log/audit must be mounted as a separate partition.
Remediation:
Test Plan:
Using Linux command line:
Check current mount options for /var/log/audit:
mount | grep /var/log/audit
Verify if nosuid is included in /etc/fstab for /var/log/audit:
grep /var/log/audit /etc/fstab
Expected output: Mount options for /var/log/audit include nosuid.
Implementation Plan:
Using Linux command line
- Edit /etc/fstab to add nosuid to mount options for /var/log/audit. Example:
/dev/<partition> /var/log/audit ext4 defaults,nodev,nosuid,noexec 0 0
Remount /var/log/audit with new options:
mount -o remount,nosuid /var/log/audit
Verify mount options:
mount | grep /var/log/audit
Backout Plan:
Using Linux command line:
Remove nosuid from /var/log/audit mount options in /etc/fstab.
Remount /var/log/audit without nosuid:
mount -o remount /var/log/audit
Verify mount options:
mount | grep /var/log/audit
References:
CIS Amazon Linux 2 Benchmark v3.0.0