The Red Hat Enterprise Linux operating system must mount /dev/shm with the nosuid option.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-81011	RHEL-07-021023	SV-95723r1_rule		Low

Description
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

STIG	Date
Red Hat Enterprise Linux 7 Security Technical Implementation Guide	2018-11-28

Details

Check Text ( C-80725r1_chk )
Verify that the "nosuid" option is configured for /dev/shm. Check that the operating system is configured to use the "nosuid" option for /dev/shm with the following command: # cat /etc/fstab \| grep /dev/shm \| grep nosuid tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 If the "nosuid" option is not present on the line for "/dev/shm", this is a finding. Verify "/dev/shm" is mounted with the "nosuid" option: # mount \| grep "/dev/shm" \| grep nosuid If no results are returned, this is a finding.

Check Text ( C-80725r1_chk )

Verify that the "nosuid" option is configured for /dev/shm.

Check that the operating system is configured to use the "nosuid" option for /dev/shm with the following command:

# cat /etc/fstab | grep /dev/shm | grep nosuid

tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0

If the "nosuid" option is not present on the line for "/dev/shm", this is a finding.

Verify "/dev/shm" is mounted with the "nosuid" option:

# mount | grep "/dev/shm" | grep nosuid

If no results are returned, this is a finding.

Fix Text (F-87845r1_fix)
Configure the "/etc/fstab" to use the "nosuid" option for all lines containing "/dev/shm".