nosuid mount option is not enabled for /dev/shm partition
Description
Setuid, which stands for set user ID on execution, is a special type of file permission in Linux. When an executable file's setuid permission is set by the file owner, other users may execute that program with a level of access that matches the user who owns the file. The /dev/shm directory is a shared memory in the form of a RAMDisk , more specifically as a world-writable directory that is stored in memory with a defined limit. Since it's a word-writable directory, it's recommended to enable nosuid mount option for /dev/shm directory to prevent block devices from mounting on it.
Severity
important
Category
Linux - Mounting Options Security
Resolution
Follow the below steps to resolve the misconfiguration.
Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition.
Run the following command to remount /dev/shm :
mount -o remount,nosuid /dev/shm
Potential issues that may arise after applying the resolution
Altering the existing security setting may create the following impact in your network operations.
Does remediation require reboot?
No
Vulnerability Manager Plus tracks security configurations and remediate misconfigurations in your network systems from a centralized console. View a list of all the security misconfigurations detected by Vulnerability Manager Plus.
