{"description": "The <tt>nodev</tt> mount option can be used to prevent device files from\nbeing created in <tt>/boot</tt>.\nLegitimate character and block devices should exist only in\nthe <tt>/dev</tt> directory on the root partition or within chroot\njails built for system services.\nAdd the <code>nodev</code> option to the fourth column of\n<tt>/etc/fstab</tt> for the line which controls mounting of\n<code>/boot</code>.", "rationale": "The only legitimate location for device files is the <tt>/dev</tt> directory\nlocated on the root partition. The only exception to this is chroot jails.", "severity": "medium", "references": {"nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.3", "CIP-007-3 R2.1", "CIP-007-3 R2.2", "CIP-007-3 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)", "AC-6", "AC-6(1)", "MP-7"], "nist-csf": ["PR.IP-1", "PR.PT-2", "PR.PT-3"], "srg": ["SRG-OS-000368-GPOS-00154"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the \"/boot\" file system does not have the \"nodev\" option set", "ocil": "Verify the <tt>nodev</tt> option is configured for the <tt>/boot</tt> mount point,\n    run the following command:\n    <pre>$ sudo mount | grep '\\s/boot\\s'</pre>\n    <pre>. . . /boot . . . nodev . . .</pre>\n", "oval_external_content": null, "fixtext": "Modify \"/etc/fstab\" to use the \"nodev\" option on the \"/boot\" directory.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must mount /boot with the nodev option.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must mount /boot with the nodev option.", "vuldiscussion": "The only legitimate location for device files is the \"/dev\" directory located on the root partition. The only exception to this is chroot jails.", "checktext": "Verify that the \"/boot\" mount point has the \"nodev\" option with the following command:\n\n$ mount | grep '\\s/boot\\s'\n\n/dev/sda1 on /boot type xfs (rw,nodev,relatime,seclabel,attr2)\n\nIf the \"/boot\" file system does not have the \"nodev\" option set, this is a finding.", "fixtext": "Modify \"/etc/fstab\" to use the \"nodev\" option on the \"/boot\" directory."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["not container"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["not_container"], "bash_conditional": null, "fixes": {}, "title": "Add nodev Option to /boot", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/partitions/mount_option_boot_nodev/rule.yml", "template": {"name": "mount_option", "vars": {"mountpoint": "/boot", "mountoption": "nodev"}, "backends": {}}}