Add nodev Option to Removable Media Partitions

Docs > Datadog Security > OOTB Rules > Add nodev Option to Removable Media Partitions

Classification:

compliance

Framework:

Control:

Description

The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of

any removable media partitions.

Rationale

The only legitimate location for device files is the /dev directory located on the root partition. An exception to this is chroot jails, and it is not advised to set nodev on partitions which contain their root filesystems.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var\_removable\_partition=''


device\_regex="^\s\*$var\_removable\_partition\s\+"
mount\_option="nodev"

if grep -q $device\_regex /etc/fstab ; then
 previous\_opts=$(grep $device\_regex /etc/fstab | awk '{print $4}')
 sed -i "s|\($device\_regex.\*$previous\_opts\)|\1,$mount\_option|" /etc/fstab
else
 echo "Not remediating, because there is no record of $var\_removable\_partition in /etc/fstab" >&2
 return 1
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: XCCDF Value var\_removable\_partition # promote to variable
 set\_fact:
 var\_removable\_partition: !!str 
 tags:
 - always

- name: Ensure permission nodev are set on var\_removable\_partition
 lineinfile:
 path: /etc/fstab
 regexp: ^\s\*({{ var\_removable\_partition }})\s+([^\s]\*)\s+([^\s]\*)\s+([^\s]\*)(.\*)$
 backrefs: true
 line: \1 \2 \3 \4,nodev \5
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-80146-4
 - NIST-800-53-AC-6
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - NIST-800-53-CM-7(a)
 - NIST-800-53-CM-7(b)
 - NIST-800-53-MP-7
 - configure\_strategy
 - high\_disruption
 - low\_complexity
 - medium\_severity
 - mount\_option\_nodev\_removable\_partitions
 - no\_reboot\_needed