Details

The nosuid mount option specifies that the filesystem cannot contain setuid files.

Rationale:

Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them.

Solution

Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.
Run the following command to remount /dev/shm:

# mount -o remount,noexec,nodev,nosuid /dev/shm

Additional Information:

/dev/shm is mounted automatically by systemd. /dev/shm needs to be added to /etc/fstab to add mount options even though it is already being mounted on boot.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3490

This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Configuration Management, Identification and Authentication, Media Protection.This control applies to the following type of system Unix.

References

• 800-53|AC-3
• 800-53|CM-1
• 800-53|CM-2
• 800-53|CM-6
• 800-53|CM-7
• 800-53|IA-5
• 800-53|MP-2
• CSCv7|5.1

Source

• Tenable.com/audits