An error occurred:

Check: RHEL-07-021024

RHEL 7 STIG: RHEL-07-021024 (in versions v3 r15 through v2 r8)

Title

The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options. (Cat III impact)

Discussion

The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Check Content

Verify that the "nodev","nosuid", and "noexec" options are configured for /dev/shm: # cat /etc/fstab | grep /dev/shm tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "nodev", "nosuid", or "noexec" options are missing, this is a finding. Verify "/dev/shm" is mounted with the "nodev", "nosuid", and "noexec" options: # mount | grep /dev/shm tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) If /dev/shm is mounted without secure options "nodev", "nosuid", and "noexec", this is a finding.

Fix Text

Configure the system so that /dev/shm is mounted with the "nodev", "nosuid", and "noexec" options by adding /modifying the /etc/fstab with the following line: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0

Additional Identifiers

Rule ID: SV-204486r958804_rule

Vulnerability ID: V-204486

Group Title: SRG-OS-000368-GPOS-00154

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001764

Prevent program execution in accordance with organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions; rules authorizing the terms and conditions of software program usage.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-7(2)

Prevent Program Execution