The Oracle Linux operating system must mount /dev/shm with secure options.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-221747 | OL07-00-021024 | SV-221747r958804_rule | CCI-001764 | low |
| Description | ||||
| The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. | ||||
| STIG | Date | |||
| Oracle Linux 7 Security Technical Implementation Guide | 2025-05-08 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-7(2)
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.4.7
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001764
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-221747r958804_chk)
Verify that the "nodev","nosuid", and "noexec" options are configured for /dev/shm:
# cat /etc/fstab | grep /dev/shm
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
If results are returned and the "nodev","nosuid", or "noexec" options are missing, this is a finding.
Verify "/dev/shm" is mounted with the "nodev","nosuid", and "noexec" options:
# mount | grep /dev/shm
tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)
If /dev/shm is mounted without secure options "nodev", "nosuid", and "noexec", this is a finding.
Fix Text (F-36245r602438_fix)
Configure the system so that /dev/shm is mounted with the "nodev", "nosuid", and "noexec" options by adding /modifying the /etc/fstab with the following line:
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0