在 RHEL/CentOS 7.9 上默认有tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel)
安全规则规定,必须使用 nosuid、nodev 和 nosuid 等安全选项来安装它不执行。
为什么 RHELnoexec
在已经使用其他两个时不自动包含?
专门使用该noexec
选项是好主意还是坏主意(带解释) /dev/shm
?如果这是一个好主意,那么如何实现它,因为相应的 mount 语句不存在/etc/fstab
参考:U_RHEL_7_V3R6_STIG_SCAP_1-2_Benchmark.zip
互联网上的任何人都可以从以下位置下载https://public.cyber.mil/stigs/downloads/在 Operating Systems/redhat7 下并阅读以下内容:
Rule Title: The Red Hat Enterprise Linux operating system must
mount /dev/shm with secure options.
Discussion: The "noexec" mount option causes the system to not execute
binary files. This option must be used for mounting any file
system not containing approved binary files as they may be
incompatible. Executing files from untrusted file systems
increases the opportunity for unprivileged users to attain
unauthorized administrative access.
The "nodev" mount option causes the system to not interpret character or
block special devices. Executing character or block special devices from
untrusted file systems increases the opportunity for unprivileged users
to attain unauthorized administrative access.
The "nosuid" mount option causes the system to not execute "setuid" and
"setgid" files with owner privileges. This option must be used for
mounting any file system not containing approved "setuid" and "setguid"
files. Executing files from untrusted file systems increases the
opportunity for unprivileged users to attain unauthorized administrative
access.
Check Text: Verify that the "nodev","nosuid", and "noexec" options are
configured for /dev/shm:
cat /etc/fstab | grep /dev/shm
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
If results are returned and the "nodev", "nosuid", or "noexec" options
are missing, this is a finding.
Verify "/dev/shm" is mounted with the "nodev", "nosuid", and "noexec"
options: mount | grep /dev/shm
tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)
If /dev/shm is mounted without secure options "nodev", "nosuid", and
"noexec", this is a finding.
Fix Text: Configure the system so that /dev/shm is mounted with the
"nodev", "nosuid", and "noexec" options by adding /modifying
the /etc/fstab with the following line:
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
答案1
RHEL(实际上是 systemd)不/dev/shm
使用该noexec
选项安装的原因是某些软件依赖于能够使用/dev/shm
来执行代码。这是完全“合法”且标准化的:使用以下命令打开共享内存对象shm_open
(在 Linux 上,这依赖于/dev/shm
),然后将其映射为可执行文件mmap
的PROT_EXEC
旗帜)。
如果这不适用于您,您可以添加该noexec
选项;推荐的方法是在以下位置添加适当的条目/etc/fstab
:
tmpfs /dev/shm tmpfs nosuid,nodev,noexec 0 0
同样,这可能会破坏性能良好的软件。 (我希望这里涉及的任何安全指南或审计都能清楚地表明这一点。)
看Systemd 支持 tmpfs |如何手动指定 /tmp 大小相关 systemd 文档的链接。具体可noexec
参见中的讨论man file-hierarchy
。