1.1.6 Ensure /dev/shm is configured

Information

/dev/shm is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) can access. If /dev/shm is not configured, tmpfs will be mounted to /dev/shm by systemd.

Notes:

-

An entry for /dev/shm in /etc/fstab will take precedence.

-

tmpfs can be resized using the size={size} parameter in /etc/fstab If we don't specify the size, it will be half the RAM.

Resize tmpfs example:

tmpfs /dev/shm tmpfs defaults,noexec,nodev,nosuid,size=2G 0 0

Any user can upload and execute files inside the /dev/shm similar to the /tmp partition. Configuring /dev/shm allows an administrator to set the noexec option on the mount, making /dev/shm useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.

Solution

Edit /etc/fstab and add or edit the following line:

tmpfs /dev/shm tmpfs defaults,noexec,nodev,nosuid 0 0

Run the following command to remount /dev/shm :

# mount -o remount,noexec,nodev,nosuid /dev/shm

See Also

https://workbench.cisecurity.org/benchmarks/8498

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|5.1

Plugin: Unix

Control ID: 71002fa0273197094dce6dbb0534e3c7e9f7f763cab8219094b3e6a72a159202