{"description": "The <tt>nodev</tt> mount option can be used to prevent device files from\nbeing created in <tt>/var</tt>.\nLegitimate character and block devices should exist only in\nthe <tt>/dev</tt> directory on the root partition or within chroot\njails built for system services.\nAdd the <code>nodev</code> option to the fourth column of\n<tt>/etc/fstab</tt> for the line which controls mounting of\n<code>/var</code>.", "rationale": "The only legitimate location for device files is the <tt>/dev</tt> directory\nlocated on the root partition. The only exception to this is chroot jails.", "severity": "medium", "references": {"nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.3", "CIP-007-3 R2.1", "CIP-007-3 R2.2", "CIP-007-3 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)", "AC-6", "AC-6(1)", "MP-7"], "nist-csf": ["PR.IP-1", "PR.PT-2", "PR.PT-3"], "srg": ["SRG-OS-000368-GPOS-00154"], "cis": ["1.1.2.4.2"]}, "control_references": {"cis": ["1.1.2.4.2"]}, "components": [], "identifiers": {}, "ocil_clause": "the \"/var\" file system does not have the \"nodev\" option set", "ocil": "Verify the <tt>nodev</tt> option is configured for the <tt>/var</tt> mount point,\n    run the following command:\n    <pre>$ sudo mount | grep '\\s/var\\s'</pre>\n    <pre>. . . /var . . . nodev . . .</pre>\n", "oval_external_content": null, "fixtext": "Modify \"/etc/fstab\" to use the \"nodev\" option on the \"/var\" directory.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must mount /var with the nodev option.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must mount /var with the nodev option.", "vuldiscussion": "The \"nodev\" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.\n\nThe only legitimate location for device files is the \"/dev\" directory located on the root partition, with the exception of chroot jails if implemented.", "checktext": "Verify \"/var\" is mounted with the \"nodev\" option:\n\n$ mount | grep /var\n\n/dev/mapper/rhel-var on /var type xfs (rw,nodev,nosuid,noexec,seclabel)\n\nIf the \"/var\" file system is mounted without the \"nodev\" option, this is a finding.", "fixtext": "Modify \"/etc/fstab\" to use the \"nodev\" option on the \"/var\" directory."}}, "platform": "mount[var]", "platforms": ["mount[var]"], "sce_metadata": {}, "inherited_platforms": ["not container"], "cpe_platform_names": ["mount_var"], "inherited_cpe_platform_names": ["not_container"], "bash_conditional": null, "fixes": {}, "title": "Add nodev Option to /var", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/partitions/mount_option_var_nodev/rule.yml", "template": {"name": "mount_option", "vars": {"mountpoint": "/var", "mountoption": "nodev"}, "backends": {}}}