Skip to content

Add nosuid Option to /srv

An XCCDF Rule

Description

The nosuid mount option can be used to prevent execution of setuid programs in /srv. The SUID and SGID permissions should not be required in this directory. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /srv.

Rationale

The presence of SUID and SGID executables should be tightly controlled. The /srv directory contains files served by various network services such as FTP. Users should not be able to execute SUID or SGID binaries from this directory.

ID
xccdf_org.ssgproject.content_rule_mount_option_srv_nosuid
Severity
Medium
References
Updated



Remediation - Ansible

- name: 'Add nosuid Option to /srv: Check information associated to mountpoint'
  command: findmnt --fstab '/srv'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/srv" > /dev/null || findmnt --fstab "/srv" > /dev/null ); then

function perform_remediation {
    
        # the mount point /srv has to be defined in /etc/fstab