{"description": "The <tt>nosuid</tt> mount option prevents set-user-identifier (SUID)\nand set-group-identifier (SGID) permissions from taking effect. These permissions\nallow users to execute binaries with the same permissions as the owner and group\nof the file respectively. Users should not be allowed to introduce SUID and SGID\nfiles into the system via partitions mounted from removable media.\nAdd the <code>nosuid</code> option to the fourth column of\n<tt>/etc/fstab</tt> for the line which controls mounting of\n\n    any removable media partitions.", "rationale": "The presence of SUID and SGID executables should be tightly controlled. Allowing\nusers to introduce SUID or SGID binaries from partitions mounted off of\nremovable media would allow them to introduce their own highly-privileged programs.", "severity": "medium", "references": {"cis-csc": ["11", "12", "13", "14", "15", "16", "18", "3", "5", "8", "9"], "cobit5": ["APO01.06", "APO13.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS01.04", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.06", "DSS05.07", "DSS06.02", "DSS06.03", "DSS06.06"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 5.2", "SR 7.6"], "iso27001-2013": ["A.10.1.1", "A.11.1.4", "A.11.1.5", "A.11.2.1", "A.11.2.6", "A.11.2.9", "A.12.1.2", "A.12.5.1", "A.12.6.2", "A.13.1.1", "A.13.1.3", "A.13.2.1", "A.13.2.3", "A.13.2.4", "A.14.1.2", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.6.1.2", "A.6.2.1", "A.6.2.2", "A.7.1.1", "A.7.1.2", "A.7.3.1", "A.8.2.1", "A.8.2.2", "A.8.2.3", "A.8.3.1", "A.8.3.3", "A.9.1.1", "A.9.1.2", "A.9.2.1", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.3", "CIP-007-3 R2.1", "CIP-007-3 R2.2", "CIP-007-3 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)", "AC-6", "AC-6(1)", "MP-7"], "nist-csf": ["PR.AC-3", "PR.AC-4", "PR.AC-6", "PR.DS-5", "PR.IP-1", "PR.PT-2", "PR.PT-3"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "file system found in \"/etc/fstab\" refers to removable media and it does not have the \"nosuid\" option set", "ocil": "Verify file systems that are used for removable media are mounted with the \"nosuid\" option with the following command:\n\n$ sudo more /etc/fstab\n\nUUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0", "oval_external_content": null, "fixtext": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that are associated with removable media.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.", "vuldiscussion": "The \"nosuid\" mount option causes the system not to execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.", "checktext": "Verify file systems that are used for removable media are mounted with the \"nosuid\" option with the following command:\n\n$ more /etc/fstab\n\nUUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0\n\nIf a file system found in \"/etc/fstab\" refers to removable media and it does not have the \"nosuid\" option set, this is a finding.", "fixtext": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that are associated with removable media."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["not container"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["not_container"], "bash_conditional": null, "fixes": {}, "title": "Add nosuid Option to Removable Media Partitions", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml", "template": {"name": "mount_option_removable_partitions", "vars": {"mountoption": "nosuid"}, "backends": {"anaconda": "off"}}}