← Back to IBM AIX 7.x Security Technical Implementation Guide

V-215235

CAT II (Medium)

AIX removable media, remote file systems, and any file system not containing approved device files must be mounted with the nodev option.

Rule ID

SV-215235r991589_rule

STIG

IBM AIX 7.x Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000366

Discussion

The nodev (or equivalent) mount option causes the system to not handle device files as system devices. This option must be used for mounting any file system not containing approved device files. Device files can provide direct access to system hardware and can compromise security if not protected.

Check Content

Identify any file system mounted from removable media, network shares, or file systems not containing any approved device files:

# cat /etc/filesystems

/:

        dev             = /dev/hd4
        vfs             = jfs2
        log             = /dev/hd8
        mount           = automatic
        check           = false
        type            = bootfs
        vol             = root
        free            = true

/home:

        dev       = /dev/hd1
        vol       = "/home"
        mount     = true
        check     = true
        free      = false
        vfs       = jfs2
        log       = /dev/hd8

10.17.76.74:/opt/nfs /home/doejohn

        vfs             = nfs
        log             = /dev/hd8
        mount           = true
        options        = nodev 
        account         = false

If any file system mounted from removable media, network shares, or file systems not containing any approved device files is not using the "nodev" option, this is a finding.

Fix Text

Edit "/etc/filesystems" and add the "options = nodev" to all entries for remote or removable media file systems, and file systems containing no approved device files.