{"description": "The <tt>nosuid</tt> mount option can be used to prevent\nexecution of setuid programs in <tt>/var</tt>. The SUID and SGID permissions\nshould not be required for this directory.\nAdd the <code>nosuid</code> option to the fourth column of\n<tt>/etc/fstab</tt> for the line which controls mounting of\n<code>/var</code>.", "rationale": "The presence of SUID and SGID executables should be tightly controlled.", "severity": "medium", "references": {"anssi": ["R28"], "cis": ["1.1.2.4.3"]}, "control_references": {"anssi": ["R28"], "cis": ["1.1.2.4.3"]}, "components": [], "identifiers": {}, "ocil_clause": "the \"/var\" file system does not have the \"nosuid\" option set", "ocil": "Verify the <tt>nosuid</tt> option is configured for the <tt>/var</tt> mount point,\n    run the following command:\n    <pre>$ sudo mount | grep '\\s/var\\s'</pre>\n    <pre>. . . /var . . . nosuid . . .</pre>\n", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "mount[var]", "platforms": ["mount[var]"], "sce_metadata": {}, "inherited_platforms": ["not container"], "cpe_platform_names": ["mount_var"], "inherited_cpe_platform_names": ["not_container"], "bash_conditional": null, "fixes": {}, "title": "Add nosuid Option to /var", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/partitions/mount_option_var_nosuid/rule.yml", "template": {"name": "mount_option", "vars": {"mountpoint": "/var", "mountoption": "nosuid"}, "backends": {}}}