Title

AIX removable media, remote file systems, and any file system not containing approved device files must be mounted with the nodev option. (Cat II impact)

Discussion

The nodev (or equivalent) mount option causes the system to not handle device files as system devices. This option must be used for mounting any file system not containing approved device files. Device files can provide direct access to system hardware and can compromise security if not protected.

Check Content

Identify any file system mounted from removable media, network shares, or file systems not containing any approved device files: # cat /etc/filesystems /: dev = /dev/hd4 vfs = jfs2 log = /dev/hd8 mount = automatic check = false type = bootfs vol = root free = true /home: dev = /dev/hd1 vol = "/home" mount = true check = true free = false vfs = jfs2 log = /dev/hd8 10.17.76.74:/opt/nfs /home/doejohn vfs = nfs log = /dev/hd8 mount = true options = nodev account = false If any file system mounted from removable media, network shares, or file systems not containing any approved device files is not using the "nodev" option, this is a finding.

Fix Text

Edit "/etc/filesystems" and add the "options = nodev" to all entries for remote or removable media file systems, and file systems containing no approved device files.

Additional Identifiers

Rule ID: SV-215235r508663_rule

Vulnerability ID: V-215235

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.