{"description": "The <tt>/dev/shm</tt> is a traditional shared memory concept.\nOne program will create a memory portion, which other processes\n(if permitted) can access. If <tt>/dev/shm</tt> is not configured,\ntmpfs will be mounted to /dev/shm by systemd.", "rationale": "Any user can upload and execute files inside the <tt>/dev/shm</tt> similar to\nthe <tt>/tmp</tt> partition. Configuring <tt>/dev/shm</tt> allows an administrator\nto set the noexec option on the mount, making /dev/shm useless for an attacker to\ninstall executable code. It would also prevent an attacker from establishing a\nhardlink to a system setuid program and wait for it to be updated. Once the program\nwas updated, the hardlink would be broken and the attacker would have his own copy\nof the program. If the program happened to have a security vulnerability, the attacker\ncould continue to exploit the known flaw.", "severity": "low", "references": {"cis": ["1.1.2.2.1"]}, "control_references": {"cis": ["1.1.2.2.1"]}, "components": [], "identifiers": {}, "ocil_clause": "\"/dev/shm is not a mountpoint\" is returned", "ocil": "Verify that a separate file system/partition has been created for <code>/dev/shm</code> with the following command:\n\n<pre>$ mountpoint /dev/shm</pre>\n", "oval_external_content": null, "fixtext": "Migrate the \"/dev/shm\" path onto a separate file system.", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule does not have a remediation.\nIt is expected that this will be managed by systemd and will be a tmpfs partition."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["not container"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["not_container"], "bash_conditional": null, "fixes": {}, "title": "Ensure /dev/shm is configured", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml", "template": {"name": "mount", "vars": {"mountpoint": "/dev/shm"}, "backends": {"blueprint": "off", "anaconda": "off", "kickstart": "off"}}}