RHEL 7 STIG Update - RHEL-07-021022 - Added Rule #3374

mrabe142 · 2018-09-26T18:49:45Z

As part of the latest RHEL 7 STIG update referenced in #3370, a new rule has been added. Information about the rule is outlined below:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide :: Release: 1 Benchmark Date: 27 Jul 2018
Vuln ID: V-81009 Rule ID: SV-95721r1_rule STIG ID: RHEL-07-021022
Severity: CAT III Check Reference: M Classification: Unclass

Group Title: SRG-OS-000368-GPOS-00154

Rule Title: The Red Hat Enterprise Linux operating system must mount /dev/shm with the nodev option.

Discussion: The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Check Text: Verify that the "nodev" option is configured for /dev/shm.

Check that the operating system is configured to use the "nodev" option for /dev/shm with the following command:

# cat /etc/fstab | grep /dev/shm | grep nodev

tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0

If the "nodev" option is not present on the line for "/dev/shm", this is a finding.

Verify "/dev/shm" is mounted with the "nodev" option:

# mount | grep "/dev/shm" | grep nodev

If no results are returned, this is a finding.

Fix Text: Configure the "/etc/fstab" to use the "nodev" option for all lines containing "/dev/shm".

References
CCI: CCI-001764: The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
NIST SP 800-53 Revision 4 :: CM-7 (2)

tedbrunell · 2018-11-20T00:52:32Z

This rule verifies a default setting in RHEL 7 - mounting /dev/shm with the nodev option. A rule should be added to the DISA STIG profile in SSG to ensure that the default behavior is maintained. There is a Red Hat KB article outlining how to change the options for /dev/shm at https://access.redhat.com/solutions/1384183. Adding the rule will ensure that the default behavior is enforced.

tedbrunell · 2019-01-28T14:57:32Z

@shawndwells This rule is still missing when comparing the 1.43 version under development and tRHEL 7 v2r2 from DoD.

mrabe142 mentioned this issue Sep 26, 2018

RHEL 7 STIG V2R1 Released #3370

Closed

shawndwells added the DISA Content Issues label Sep 29, 2018

shawndwells assigned tedbrunell Oct 10, 2018

tedbrunell added this to the 0.1.42 milestone Nov 20, 2018

yuumasato modified the milestones: 0.1.42, 0.1.43 Dec 11, 2018

yuumasato modified the milestones: 0.1.43, 0.1.44 Feb 21, 2019

yuumasato modified the milestones: 0.1.44, 0.1.45 May 3, 2019

yuumasato modified the milestones: 0.1.45, 0.1.46 Jul 22, 2019

yuumasato modified the milestones: 0.1.46, 0.1.47 Sep 2, 2019

yuumasato modified the milestones: 0.1.47, 0.1.48 Nov 5, 2019

yuumasato modified the milestones: 0.1.48, 0.1.49 Jan 9, 2020

gcampbell12 mentioned this issue Jun 9, 2020

Add dev_shm rules to rhel7 stig profile #5830

Merged

redhatrises closed this as completed in #5830 Jun 9, 2020

marcusburghardt added the STIG STIG Benchmark related. label Jun 28, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RHEL 7 STIG Update - RHEL-07-021022 - Added Rule #3374

RHEL 7 STIG Update - RHEL-07-021022 - Added Rule #3374

mrabe142 commented Sep 26, 2018

tedbrunell commented Nov 20, 2018

tedbrunell commented Jan 28, 2019

RHEL 7 STIG Update - RHEL-07-021022 - Added Rule #3374

RHEL 7 STIG Update - RHEL-07-021022 - Added Rule #3374

Comments

mrabe142 commented Sep 26, 2018

tedbrunell commented Nov 20, 2018

tedbrunell commented Jan 28, 2019