{"description": "The <tt>nodev</tt> mount option prevents files from being\ninterpreted as character or block devices.\nLegitimate character and block devices should exist only in\nthe <tt>/dev</tt> directory on the root partition or within chroot\njails built for system services.\nAdd the <code>nodev</code> option to the fourth column of\n<tt>/etc/fstab</tt> for the line which controls mounting of\n\n    any removable media partitions.", "rationale": "The only legitimate location for device files is the <tt>/dev</tt> directory\nlocated on the root partition. An exception to this is chroot jails, and it is\nnot advised to set <tt>nodev</tt> on partitions which contain their root\nfilesystems.", "severity": "medium", "references": {"cis-csc": ["11", "12", "13", "14", "16", "3", "8", "9"], "cobit5": ["APO13.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS01.04", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.06", "DSS05.07", "DSS06.03", "DSS06.06"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.11.2.9", "A.12.1.2", "A.12.5.1", "A.12.6.2", "A.13.1.1", "A.13.2.1", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.6.2.1", "A.6.2.2", "A.7.1.1", "A.8.2.1", "A.8.2.2", "A.8.2.3", "A.8.3.1", "A.8.3.3", "A.9.1.2", "A.9.2.1"], "nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.3", "CIP-007-3 R2.1", "CIP-007-3 R2.2", "CIP-007-3 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)", "AC-6", "AC-6(1)", "MP-7"], "nist-csf": ["PR.AC-3", "PR.AC-6", "PR.IP-1", "PR.PT-2", "PR.PT-3"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "a file system found in \"/etc/fstab\" refers to removable media and it does not have the \"nodev\" option set", "ocil": "Verify file systems that are used for removable media are mounted with the \"nodev\" option with the following command:\n\n$ sudo more /etc/fstab\n\nUUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0", "oval_external_content": null, "fixtext": "Configure the \"/etc/fstab\" to use the \"nodev\" option on file systems that are associated with removable media.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must prevent special devices on file systems that are used with removable media.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must prevent special devices on file systems that are used with removable media.", "vuldiscussion": "The \"nodev\" mount option causes the system not to interpret character or block special devices. Executing character or blocking special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.", "checktext": "Verify file systems that are used for removable media are mounted with the \"nodev\" option with the following command:\n\n$ more /etc/fstab\n\nUUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0\n\nIf a file system found in \"/etc/fstab\" refers to removable media and it does not have the \"nodev\" option set, this is a finding.", "fixtext": "Configure the \"/etc/fstab\" to use the \"nodev\" option on file systems that are associated with removable media."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["not container"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["not_container"], "bash_conditional": null, "fixes": {}, "title": "Add nodev Option to Removable Media Partitions", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml", "template": {"name": "mount_option_removable_partitions", "vars": {"mountoption": "nodev"}, "backends": {"anaconda": "off"}}}