Skip to content

Add nosuid Option to /var/log/audit

An XCCDF Rule

Description

The nosuid mount option can be used to prevent execution of setuid programs in /var/log/audit. The SUID and SGID permissions should not be required in directories containing audit log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for audit log files.

ID
xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid
Severity
Medium
References
Updated



Remediation - Anaconda Pre-Install Instructions


part /var/log/audit --mountoptions="nosuid"

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then

function perform_remediation {
    
        # the mount point /var/log/audit has to be defined in /etc/fstab

Remediation - Ansible

- name: 'Add nosuid Option to /var/log/audit: Check information associated to mountpoint'
  command: findmnt --fstab '/var/log/audit'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",