Navigate

Check: RHEL-09-231095

RHEL 9 STIG: RHEL-09-231095 (in versions v1 r3 through v1 r1)

Title

RHEL 9 must mount /boot with the nodev option. (Cat II impact)

Discussion

The only legitimate location for device files is the "/dev" directory located on the root partition. The only exception to this is chroot jails.

Check Content

Verify that the "/boot" mount point has the "nodev" option is with the following command: Note: This control is not applicable to RHEL 9 system booted UEFI. $ sudo mount | grep '\s/boot\s' /dev/sda1 on /boot type xfs (rw,nodev,relatime,seclabel,attr2) If the "/boot" file system does not have the "nodev" option set, this is a finding.

Fix Text

Modify "/etc/fstab" to use the "nodev" option on the "/boot" directory.

Additional Identifiers

Rule ID: SV-257860r925567_rule

Vulnerability ID: V-257860

Group Title: SRG-OS-000368-GPOS-00154

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-001764	The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
CM-7 (2)	Prevent Program Execution