Within this series of posts we will go through all the Oracle Linux 7 CIS benchmark controls and outline them a bit more than might have been done on the actual CIS benchmark.
control : Set nodev option for /tmp Partition
The rationale given by the CIS benchmark is ; Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp.
In more detail, if the nodev option is not set it would allow for mounting the /tmp filesystem on a device. In this sense, a device could be for example a USB drive attached to the machine. When, if this is not prevented, a USB drive is added to the machine a device node will be created under /dev which can be used to mount /tmp on. The nodev option will ensure that this is prevented. The official man page reads the following on nodev : “Do not interpret character or block special devices on the file system.”
The CIS benchmark documentation provides the below command as a way to verify that the nodev option is given. In reality two possible options are provided however, I feel the one below is providing the most assurance that it is actually actively implemented in the right way.
mount | grep "[[:space:]]/tmp[[:space:]]" | grep nodev
A more extensive version of this check which will provide a pass/fail response is shown below:
#!/bin/bash mount | grep "[[:space:]]/tmp[[:space:]]" | grep nodev | wc -l&> /dev/null if [ $? == 0 ]; then echo "fail" else echo "pass" fi
This provides a easier way to implement an automated check if you want to incorporate this in a wider check for your Oracle Linux installation.
No comments:
Post a Comment