Add nosuid Option to /var

Docs > Datadog Security > OOTB Rules > Add nosuid Option to /var

Classification:

compliance

Framework:

Control:

Description

The nosuid mount option can be used to prevent execution of setuid programs in /var. The SUID and SGID permissions should not be required for this directory. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var.

Rationale

The presence of SUID and SGID executables should be tightly controlled.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform\_remediation {
 
 mount\_point\_match\_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var")"

 grep "$mount\_point\_match\_regexp" -q /etc/fstab \
 || { echo "The mount point '/var' is not even in /etc/fstab, so we can't set up mount options" >&2;
 echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; }
 


 mount\_point\_match\_regexp="$(printf "[[:space:]]%s[[:space:]]" /var)"

 # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
 if ! grep "$mount\_point\_match\_regexp" /etc/fstab; then
 # runtime opts without some automatic kernel/userspace-added defaults
 previous\_mount\_opts=$(grep "$mount\_point\_match\_regexp" /etc/mtab | head -1 | awk '{print $4}' \
 | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
 [ "$previous\_mount\_opts" ] && previous\_mount\_opts+=","
 echo " /var defaults,${previous\_mount\_opts}nosuid 0 0" >> /etc/fstab
 # If the mount\_opt option is not already in the mount point's /etc/fstab entry, add it
 elif ! grep "$mount\_point\_match\_regexp" /etc/fstab | grep "nosuid"; then
 previous\_mount\_opts=$(grep "$mount\_point\_match\_regexp" /etc/fstab | awk '{print $4}')
 sed -i "s|\(${mount\_point\_match\_regexp}.\*${previous\_mount\_opts}\)|\1,nosuid|" /etc/fstab
 fi


 if mkdir -p "/var"; then
 if mountpoint -q "/var"; then
 mount -o remount --target "/var"
 fi
 fi
}

perform\_remediation

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: 'Add nosuid Option to /var: Check information associated to mountpoint'
 command: findmnt --fstab '/var'
 register: device\_name
 failed\_when: device\_name.rc > 1
 changed\_when: false
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - configure\_strategy
 - high\_disruption
 - low\_complexity
 - mount\_option\_var\_nosuid
 - no\_reboot\_needed
 - unknown\_severity

- name: 'Add nosuid Option to /var: Create mount\_info dictionary variable'
 set\_fact:
 mount\_info: '{{ mount\_info|default({})|combine({item.0: item.1}) }}'
 with\_together:
 - '{{ device\_name.stdout\_lines[0].split() | list | lower }}'
 - '{{ device\_name.stdout\_lines[1].split() | list }}'
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - device\_name.stdout is defined and device\_name.stdout\_lines is defined
 - (device\_name.stdout | length > 0)
 tags:
 - configure\_strategy
 - high\_disruption
 - low\_complexity
 - mount\_option\_var\_nosuid
 - no\_reboot\_needed
 - unknown\_severity

- name: 'Add nosuid Option to /var: If /var not mounted, craft mount\_info manually'
 set\_fact:
 mount\_info: '{{ mount\_info|default({})|combine({item.0: item.1}) }}'
 with\_together:
 - - target
 - source
 - fstype
 - options
 - - /var
 - ''
 - ''
 - defaults
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - ("--fstab" | length == 0)
 - (device\_name.stdout | length == 0)
 tags:
 - configure\_strategy
 - high\_disruption
 - low\_complexity
 - mount\_option\_var\_nosuid
 - no\_reboot\_needed
 - unknown\_severity

- name: 'Add nosuid Option to /var: Make sure nosuid option is part of the to /var
 options'
 set\_fact:
 mount\_info: '{{ mount\_info | combine( {''options'':''''~mount\_info.options~'',nosuid''
 }) }}'
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - mount\_info is defined and "nosuid" not in mount\_info.options
 tags:
 - configure\_strategy
 - high\_disruption
 - low\_complexity
 - mount\_option\_var\_nosuid
 - no\_reboot\_needed
 - unknown\_severity

- name: 'Add nosuid Option to /var: Ensure /var is mounted with nosuid option'
 mount:
 path: /var
 src: '{{ mount\_info.source }}'
 opts: '{{ mount\_info.options }}'
 state: mounted
 fstype: '{{ mount\_info.fstype }}'
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - (device\_name.stdout is defined and (device\_name.stdout | length > 0)) or ("--fstab"
 | length == 0)
 tags:
 - configure\_strategy
 - high\_disruption
 - low\_complexity
 - mount\_option\_var\_nosuid
 - no\_reboot\_needed
 - unknown\_severity