Add nosuid Option to Removable Media Partitions
An XCCDF Rule
Description
The nosuid mount option prevents set-user-identifier (SUID)
and set-group-identifier (SGID) permissions from taking effect. These permissions
allow users to execute binaries with the same permissions as the owner and group
of the file respectively. Users should not be allowed to introduce SUID and SGID
files into the system via partitions mounted from removeable media.
Add the nosuid option to the list of
Options in the systemd.mount unit that
controls mounting of
any removable media partitions.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs.
- ID
- xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions
- Severity
- Medium
- References
-
A.10.1.1
A.11.1.4
A.11.1.5
A.11.2.1
A.11.2.6
A.11.2.9
A.12.1.2
A.12.5.1
A.12.6.2
A.13.1.1
A.13.1.3
A.13.2.1
A.13.2.3
A.13.2.4
A.14.1.2
A.14.1.3
A.14.2.2
A.14.2.3
A.14.2.4
A.6.1.2
A.6.2.1
A.6.2.2
A.7.1.1
A.7.1.2
A.7.3.1
A.8.2.1
A.8.2.2
A.8.2.3
A.8.3.1
A.8.3.3
A.9.1.1
A.9.1.2
A.9.2.1
A.9.2.3
A.9.4.1
A.9.4.4
A.9.4.5
- Updated