1. Home
  2. Security Hardening
  3. CIS CentOS 7 V3 1.2 Workstation L1
  4. Ensure nosuid option set on /dev/shm partition

Ensure nosuid option set on /dev/shm partition

Details

The nosuid mount option specifies that the filesystem cannot contain setuid files.

Rationale:

Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them.

Solution

Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.
Run the following command to remount /dev/shm:

# mount -o remount,noexec,nodev,nosuid /dev/shm

Additional Information:

/dev/shm is mounted automatically by systemd. /dev/shm needs to be added to /etc/fstab to add mount options even though it is already being mounted on boot.

Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Configuration Management, Identification and Authentication, Media Protection.This control applies to the following type of system Unix.

References

Source

Updated on July 16, 2022
Was this article helpful?

Related Articles