Check: AIX7-00-001139
IBM AIX 7.x STIG:
AIX7-00-001139
(in versions v3 r1 through v1 r1)
Title
AIX removable media, remote file systems, and any file system not containing approved device files must be mounted with the nodev option. (Cat II impact)
Discussion
The nodev (or equivalent) mount option causes the system to not handle device files as system devices. This option must be used for mounting any file system not containing approved device files. Device files can provide direct access to system hardware and can compromise security if not protected.
Check Content
Identify any file system mounted from removable media, network shares, or file systems not containing any approved device files: # cat /etc/filesystems /: dev = /dev/hd4 vfs = jfs2 log = /dev/hd8 mount = automatic check = false type = bootfs vol = root free = true /home: dev = /dev/hd1 vol = "/home" mount = true check = true free = false vfs = jfs2 log = /dev/hd8 10.17.76.74:/opt/nfs /home/doejohn vfs = nfs log = /dev/hd8 mount = true options = nodev account = false If any file system mounted from removable media, network shares, or file systems not containing any approved device files is not using the "nodev" option, this is a finding.
Fix Text
Edit "/etc/filesystems" and add the "options = nodev" to all entries for remote or removable media file systems, and file systems containing no approved device files.
Additional Identifiers
Rule ID: SV-215235r991589_rule
Vulnerability ID: V-215235
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |