Add nodev Option to Removable Media Partitions
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
The nodev
mount option prevents files from being
interpreted as character or block devices.
Legitimate character and block devices should exist only in
the /dev
directory on the root partition or within chroot
jails built for system services.
Add the nodev
option to the fourth column of
/etc/fstab
for the line which controls mounting of
any removable media partitions.
Rationale
The only legitimate location for device files is the /dev
directory
located on the root partition. An exception to this is chroot jails, and it is
not advised to set nodev
on partitions which contain their root
filesystems.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
var_removable_partition='<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_removable_partition" use="legacy"/>'
device_regex="^\s*$var_removable_partition\s\+"
mount_option="nodev"
if grep -q $device_regex /etc/fstab ; then
previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}')
sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab
else
echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: XCCDF Value var_removable_partition # promote to variable
set_fact:
var_removable_partition: !!str <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_removable_partition" use="legacy"/>
tags:
- always
- name: Ensure permission nodev are set on var_removable_partition
lineinfile:
path: /etc/fstab
regexp: ^\s*({{ var_removable_partition }})\s+([^\s]*)\s+([^\s]*)\s+([^\s]*)(.*)$
backrefs: true
line: \1 \2 \3 \4,nodev \5
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80146-4
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure_strategy
- high_disruption
- low_complexity
- medium_severity
- mount_option_nodev_removable_partitions
- no_reboot_needed