{"description": "The <tt>nosuid</tt> mount option can be used to prevent\nexecution of setuid programs in <tt>/opt</tt>. The SUID and SGID permissions\nshould not be required in this directory.\nAdd the <code>nosuid</code> option to the fourth column of\n<tt>/etc/fstab</tt> for the line which controls mounting of\n<code>/opt</code>.", "rationale": "The presence of SUID and SGID executables should be tightly controlled. The\n<tt>/opt</tt> directory contains additional software packages. Users should\nnot be able to execute SUID or SGID binaries from this directory.", "severity": "medium", "references": {"anssi": ["R28"]}, "control_references": {"anssi": ["R28"]}, "components": [], "identifiers": {}, "ocil_clause": "the \"/opt\" file system does not have the \"nosuid\" option set", "ocil": "Verify the <tt>nosuid</tt> option is configured for the <tt>/opt</tt> mount point,\n    run the following command:\n    <pre>$ sudo mount | grep '\\s/opt\\s'</pre>\n    <pre>. . . /opt . . . nosuid . . .</pre>\n", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "mount[opt]", "platforms": ["mount[opt]"], "sce_metadata": {}, "inherited_platforms": ["not container"], "cpe_platform_names": ["mount_opt"], "inherited_cpe_platform_names": ["not_container"], "bash_conditional": null, "fixes": {}, "title": "Add nosuid Option to /opt", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/partitions/mount_option_opt_nosuid/rule.yml", "template": {"name": "mount_option", "vars": {"mountpoint": "/opt", "mountoption": "nosuid"}, "backends": {}}}