Skip to content

Add nodev Option to /boot

An XCCDF Rule

Description

The nodev mount option can be used to prevent device files from being created in /boot. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the list of Options in the systemd.mount unit that controls mounting of /boot.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

ID
xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
Severity
Medium
References
Updated