{"description": "The <tt>nosuid</tt> mount option can be used to prevent\nexecution of setuid programs in <tt>/boot</tt>. The SUID and SGID permissions\nshould not be required on the boot partition.\nAdd the <code>nosuid</code> option to the fourth column of\n<tt>/etc/fstab</tt> for the line which controls mounting of\n<code>/boot</code>.", "rationale": "The presence of SUID and SGID executables should be tightly controlled. Users\nshould not be able to execute SUID or SGID binaries from boot partitions.", "severity": "medium", "references": {"nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.3", "CIP-007-3 R2.1", "CIP-007-3 R2.2", "CIP-007-3 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)", "AC-6", "AC-6(1)", "MP-7"], "nist-csf": ["PR.IP-1", "PR.PT-2", "PR.PT-3"], "srg": ["SRG-OS-000368-GPOS-00154", "SRG-OS-000480-GPOS-00227"], "anssi": ["R28"]}, "control_references": {"anssi": ["R28"]}, "components": [], "identifiers": {}, "ocil_clause": "the \"/boot\" file system does not have the \"nosuid\" option set", "ocil": "Verify the <tt>nosuid</tt> option is configured for the <tt>/boot</tt> mount point,\n    run the following command:\n    <pre>$ sudo mount | grep '\\s/boot\\s'</pre>\n    <pre>. . . /boot . . . nosuid . . .</pre>\n", "oval_external_content": null, "fixtext": "Modify \"/etc/fstab\" to use the \"nosuid\" option on the \"/boot\" directory.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must mount /boot with the nosuid option.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.", "vuldiscussion": "The \"nosuid\" mount option causes the system not to execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.", "checktext": "Verify the /boot directory is mounted with the \"nosuid\" option with the following command:\n\n$ mount | grep '\\s/boot\\s'\n\n/dev/sda1 on /boot type xfs (rw,nosuid,relatime,seclabe,attr2,inode64,noquota)\n\nIf the /boot file system does not have the \"nosuid\" option set, this is a finding.", "fixtext": "Modify \"/etc/fstab\" to use the \"nosuid\" option on the \"/boot\" directory."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["not container"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["not_container"], "bash_conditional": null, "fixes": {}, "title": "Add nosuid Option to /boot", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml", "template": {"name": "mount_option", "vars": {"mountpoint": "/boot", "mountoption": "nosuid"}, "backends": {}}}