← Back to Red Hat Enterprise Linux 10 Security Technical Implementation Guide

V-281091

CAT II (Medium)

RHEL 10 must mount "/var/log/audit" with the "nodev" option.

Rule ID

SV-281091r1165628_rule

STIG

Red Hat Enterprise Linux 10 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001764

Discussion

The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.

Check Content

Verify RHEL 10 is configured so that "/var/log/audit" is mounted with the "nodev" option:

$ mount | grep /var/log/audit
/dev/mapper/luks-4e45e1ad-5337-42c4-a19f-ee12ccc1d502 on /var/log/audit type xfs (rw,nodev,nosuid,noexec,seclabel)

If the "/var/log/audit" file system is mounted without the "nodev" option, this is a finding.

Fix Text

Configure RHEL 10 to mount "/var/log/audit" with the "nodev" option.

Modify "/etc/fstab" to use the "nodev" option on the "/var/log/audit" directory.