Title

Removable media, remote file systems, and any file system not containing approved device files must be mounted with the nodev option. (Cat II impact)

Discussion

The nodev (or equivalent) mount option causes the system to not handle device files as system devices. This option must be used for mounting any file system not containing approved device files. Device files can provide direct access to system hardware and can compromise security if not protected.

Check Content

If the system does not support a nodev option, this is not applicable. Check /etc/filesystems and verify the nodev mount option (options = ) is used on any file systems mounted from removable media or network shares, or file systems not containing any approved device files. If any such file system is not using the nodev option, this is a finding.

Fix Text

Edit /etc/filesystems and add the options = nodev to all entries for remote or removable media file systems, and file systems containing no approved device files.

Additional Identifiers

Rule ID: SV-38747r1_rule

Vulnerability ID: V-22368

Group Title: GEN002430

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.