Add nodev Option to /dev/shm

Classification:

compliance

Framework:

Control:

Description

The nodev mount option can be used to prevent creation of device files in /dev/shm. Legitimate character and block devices should not exist within temporary directories like /dev/shm. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform\_remediation {
 


 mount\_point\_match\_regexp="$(printf "[[:space:]]%s[[:space:]]" /dev/shm)"

 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
 if ! grep "$mount\_point\_match\_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous\_mount\_opts=$(grep "$mount\_point\_match\_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
 [ "$previous\_mount\_opts" ] && previous\_mount\_opts+=","
 echo "tmpfs /dev/shm tmpfs defaults,${previous\_mount\_opts}nodev 0 0" >> /etc/fstab
 # If the mount\_opt option is not already in the mount point's /etc/fstab entry, add it
 elif ! grep "$mount\_point\_match\_regexp" /etc/fstab | grep "nodev"; then
 previous\_mount\_opts=$(grep "$mount\_point\_match\_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount\_point\_match\_regexp}.\*${previous\_mount\_opts}\)|\1,nodev|" /etc/fstab
 fi


 if mkdir -p "/dev/shm"; then
 if mountpoint -q "/dev/shm"; then
 mount -o remount --target "/dev/shm"
 fi
 fi
}

perform\_remediation

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: 'Add nodev Option to /dev/shm: Check information associated to mountpoint'
 command: findmnt '/dev/shm'
 register: device\_name
 failed\_when: device\_name.rc > 1
 changed\_when: false
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - NIST-800-53-AC-6
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - NIST-800-53-CM-7(a)
 - NIST-800-53-CM-7(b)
 - NIST-800-53-MP-7
 - configure\_strategy
 - high\_disruption
 - low\_complexity
 - medium\_severity
 - mount\_option\_dev\_shm\_nodev
 - no\_reboot\_needed

- name: 'Add nodev Option to /dev/shm: Create mount\_info dictionary variable'
 set\_fact:
 mount\_info: '{{ mount\_info|default({})|combine({item.0: item.1}) }}'
 with\_together:
 - '{{ device\_name.stdout\_lines[0].split() | list | lower }}'
 - '{{ device\_name.stdout\_lines[1].split() | list }}'
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - device\_name.stdout is defined and device\_name.stdout\_lines is defined
 - (device\_name.stdout | length > 0)
 tags:
 - NIST-800-53-AC-6
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - NIST-800-53-CM-7(a)
 - NIST-800-53-CM-7(b)
 - NIST-800-53-MP-7
 - configure\_strategy
 - high\_disruption
 - low\_complexity
 - medium\_severity
 - mount\_option\_dev\_shm\_nodev
 - no\_reboot\_needed

- name: 'Add nodev Option to /dev/shm: If /dev/shm not mounted, craft mount\_info manually'
 set\_fact:
 mount\_info: '{{ mount\_info|default({})|combine({item.0: item.1}) }}'
 with\_together:
 - - target
 - source
 - fstype
 - options
 - - /dev/shm
 - tmpfs
 - tmpfs
 - defaults
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - ("" | length == 0)
 - (device\_name.stdout | length == 0)
 tags:
 - NIST-800-53-AC-6
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - NIST-800-53-CM-7(a)
 - NIST-800-53-CM-7(b)
 - NIST-800-53-MP-7
 - configure\_strategy
 - high\_disruption
 - low\_complexity
 - medium\_severity
 - mount\_option\_dev\_shm\_nodev
 - no\_reboot\_needed

- name: 'Add nodev Option to /dev/shm: Make sure nodev option is part of the to /dev/shm
 options'
 set\_fact:
 mount\_info: '{{ mount\_info | combine( {''options'':''''~mount\_info.options~'',nodev''
 }) }}'
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - mount\_info is defined and "nodev" not in mount\_info.options
 tags:
 - NIST-800-53-AC-6
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - NIST-800-53-CM-7(a)
 - NIST-800-53-CM-7(b)
 - NIST-800-53-MP-7
 - configure\_strategy
 - high\_disruption
 - low\_complexity
 - medium\_severity
 - mount\_option\_dev\_shm\_nodev
 - no\_reboot\_needed

- name: 'Add nodev Option to /dev/shm: Ensure /dev/shm is mounted with nodev option'
 mount:
 path: /dev/shm
 src: '{{ mount\_info.source }}'
 opts: '{{ mount\_info.options }}'
 state: mounted
 fstype: '{{ mount\_info.fstype }}'
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - (device\_name.stdout is defined and (device\_name.stdout | length > 0)) or ("" |
 length == 0)
 tags:
 - NIST-800-53-AC-6
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - NIST-800-53-CM-7(a)
 - NIST-800-53-CM-7(b)
 - NIST-800-53-MP-7
 - configure\_strategy
 - high\_disruption
 - low\_complexity
 - medium\_severity
 - mount\_option\_dev\_shm\_nodev
 - no\_reboot\_needed