{"description": "The <tt>nosuid</tt> mount option can be used to prevent\nexecution of setuid programs in <tt>/tmp</tt>. The SUID and SGID permissions\nshould not be required in these world-writable directories.\nAdd the <code>nosuid</code> option to the fourth column of\n<tt>/etc/fstab</tt> for the line which controls mounting of\n<code>/tmp</code>.", "rationale": "The presence of SUID and SGID executables should be tightly controlled. Users\nshould not be able to execute SUID or SGID binaries from temporary storage partitions.", "severity": "medium", "references": {"cis-csc": ["11", "13", "14", "3", "8", "9"], "cobit5": ["APO13.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS05.02", "DSS05.05", "DSS05.06", "DSS06.06"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 7.6"], "iso27001-2013": ["A.11.2.9", "A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.8.2.1", "A.8.2.2", "A.8.2.3", "A.8.3.1", "A.8.3.3", "A.9.1.2"], "nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.3", "CIP-007-3 R2.1", "CIP-007-3 R2.2", "CIP-007-3 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)", "AC-6", "AC-6(1)", "MP-7"], "nist-csf": ["PR.IP-1", "PR.PT-2", "PR.PT-3"], "srg": ["SRG-OS-000368-GPOS-00154"], "anssi": ["R28"], "cis": ["1.1.2.1.3"]}, "control_references": {"anssi": ["R28"], "cis": ["1.1.2.1.3"]}, "components": [], "identifiers": {}, "ocil_clause": "the \"/tmp\" file system does not have the \"nosuid\" option set", "ocil": "Verify the <tt>nosuid</tt> option is configured for the <tt>/tmp</tt> mount point,\n    run the following command:\n    <pre>$ sudo mount | grep '\\s/tmp\\s'</pre>\n    <pre>. . . /tmp . . . nosuid . . .</pre>\n", "oval_external_content": null, "fixtext": "Modify \"/etc/fstab\" to use the \"nosuid\" option on the \"/tmp\" directory.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must mount /tmp with the nosuid option.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must mount /tmp with the nosuid option.", "vuldiscussion": "The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.", "checktext": "Verify \"/tmp\" is mounted with the \"nosuid\" option:\n\n$ mount | grep /tmp\n\n/dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel)\n\nIf the \"/tmp\" file system is mounted without the \"nosuid\" option, this is a finding.", "fixtext": "Modify \"/etc/fstab\" to use the \"nosuid\" option on the \"/tmp\" directory."}}, "platform": "mount[tmp]", "platforms": ["mount[tmp]"], "sce_metadata": {}, "inherited_platforms": ["not container"], "cpe_platform_names": ["mount_tmp"], "inherited_cpe_platform_names": ["not_container"], "bash_conditional": null, "fixes": {}, "title": "Add nosuid Option to /tmp", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml", "template": {"name": "mount_option", "vars": {"mountpoint": "/tmp", "mountoption": "nosuid"}, "backends": {}}}