{"description": "The nodev mount option prevents files from being interpreted as\ncharacter or block devices. Legitimate character and block devices should\nexist only in the /dev directory on the root partition or within\nchroot jails built for system services.\nAdd the nodev option to the fourth column of\n/etc/fstab for the line which controls mounting of\n\n any non-root local partitions.", "rationale": "The nodev mount option prevents files from being\ninterpreted as character or block devices. The only legitimate location\nfor device files is the /dev directory located on the root partition.\nThe only exception to this is chroot jails, for which it is not advised\nto set nodev on these filesystems.", "severity": "medium", "references": {"cis-csc": ["11", "14", "3", "9"], "cobit5": ["BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS05.02", "DSS05.05", "DSS06.06"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.9.1.2"], "nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.3", "CIP-007-3 R2.1", "CIP-007-3 R2.2", "CIP-007-3 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)", "AC-6", "AC-6(1)", "MP-7"], "nist-csf": ["PR.IP-1", "PR.PT-3"], "srg": ["SRG-OS-000368-GPOS-00154", "SRG-OS-000480-GPOS-00227"], "anssi": ["R28"]}, "control_references": {"anssi": ["R28"]}, "components": [], "identifiers": {}, "ocil_clause": "some mounts appear among output lines", "ocil": "To verify the nodev option is configured for non-root local partitions, run the following command:\n$ sudo mount | grep '^/dev\\S* on /\\S' | grep --invert-match 'nodev'
\nThe output shows local non-root partitions mounted without the nodev option, and there should be no output at all.\n", "oval_external_content": null, "fixtext": "Configure the \"/etc/fstab\" to use the \"nodev\" option on all non-root local partitions.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must prevent special devices on non-root local partitions.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must prevent special devices on non-root local partitions.", "vuldiscussion": "The \"nodev\" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.\n\nThe only legitimate location for device files is the \"/dev\" directory located on the root partition, with the exception of chroot jails if implemented.", "checktext": "Verify all non-root local partitions are mounted with the \"nodev\" option with the following command:\n\n$ sudo mount | grep '^/dev\\S* on /\\S' | grep --invert-match 'nodev'\n\nIf any output is produced, this is a finding.", "fixtext": "Configure the \"/etc/fstab\" to use the \"nodev\" option on all non-root local partitions."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["not container"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["not_container"], "bash_conditional": null, "fixes": {}, "title": "Add nodev Option to Non-Root Local Partitions", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml", "template": null}