Add nosuid Option to Removable Media Partitions

Docs > Datadog Security > OOTB Rules > Add nosuid Option to Removable Media Partitions

Classification:

compliance

Framework:

Control:

Description

The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of

any removable media partitions.

Rationale

The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var\_removable\_partition=''


device\_regex="^\s\*$var\_removable\_partition\s\+"
mount\_option="nosuid"

if grep -q $device\_regex /etc/fstab ; then
 previous\_opts=$(grep $device\_regex /etc/fstab | awk '{print $4}')
 sed -i "s|\($device\_regex.\*$previous\_opts\)|\1,$mount\_option|" /etc/fstab
else
 echo "Not remediating, because there is no record of $var\_removable\_partition in /etc/fstab" >&2
 return 1
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: XCCDF Value var\_removable\_partition # promote to variable
 set\_fact:
 var\_removable\_partition: !!str 
 tags:
 - always

- name: Ensure permission nosuid are set on var\_removable\_partition
 lineinfile:
 path: /etc/fstab
 regexp: ^\s\*({{ var\_removable\_partition }})\s+([^\s]\*)\s+([^\s]\*)\s+([^\s]\*)(.\*)$
 backrefs: true
 line: \1 \2 \3 \4,nosuid \5
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-80148-0
 - DISA-STIG-RHEL-07-021010
 - NIST-800-53-AC-6
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - NIST-800-53-CM-7(a)
 - NIST-800-53-CM-7(b)
 - NIST-800-53-MP-7
 - configure\_strategy
 - high\_disruption
 - low\_complexity
 - medium\_severity
 - mount\_option\_nosuid\_removable\_partitions
 - no\_reboot\_needed