使用 noexec 挂载 /dev/shm

使用 noexec 挂载 /dev/shm

在 RHEL/CentOS 7.9 上默认有tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel)

安全规则规定,必须使用 nosuid、nodev 和 nosuid 等安全选项来安装它不执行

为什么 RHELnoexec在已经使用其他两个时不自动包含?

专门使用该noexec选项是好主意还是坏主意(带解释) /dev/shm?如果这是一个好主意,那么如何实现它,因为相应的 mount 语句不存在/etc/fstab

参考:U_RHEL_7_V3R6_STIG_SCAP_1-2_Benchmark.zip

互联网上的任何人都可以从以下位置下载https://public.cyber.mil/stigs/downloads/在 Operating Systems/redhat7 下并阅读以下内容:

Rule Title: The Red Hat Enterprise Linux operating system must
            mount /dev/shm with secure options.

Discussion: The "noexec" mount option causes the system to not execute
            binary files. This option must be used for mounting any file
            system not containing approved binary files as they may be
            incompatible. Executing files from untrusted file systems 
            increases the opportunity for unprivileged users to attain 
            unauthorized administrative access.

The "nodev" mount option causes the system to not interpret character or
block special devices. Executing character or block special devices from 
untrusted file systems increases the opportunity for unprivileged users 
to attain unauthorized administrative access.

The "nosuid" mount option causes the system to not execute "setuid" and 
"setgid" files with owner privileges. This option must be used for 
mounting any file system not containing approved "setuid" and "setguid" 
files. Executing files from untrusted file systems increases the 
opportunity for unprivileged users to attain unauthorized administrative 
access.

Check Text: Verify that the "nodev","nosuid", and "noexec" options are
            configured for /dev/shm:

cat /etc/fstab | grep /dev/shm

tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0

If results are returned and the "nodev", "nosuid", or "noexec" options
are missing, this is a finding.

Verify "/dev/shm" is mounted with the "nodev", "nosuid", and "noexec" 
options:  mount | grep /dev/shm

tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)

If /dev/shm is mounted without secure options "nodev", "nosuid", and 
"noexec", this is a finding.

Fix Text: Configure the system so that /dev/shm is mounted with the
          "nodev", "nosuid", and "noexec" options by adding /modifying 
          the /etc/fstab with the following line:

tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0

答案1

RHEL(实际上是 systemd)不/dev/shm使用该noexec选项安装的原因是某些软件依赖于能够使用/dev/shm来执行代码。这是完全“合法”且标准化的:使用以下命令打开共享内存对象shm_open(在 Linux 上,这依赖于/dev/shm),然后将其映射为可执行文件mmapPROT_EXEC旗帜)。

如果这不适用于您,您可以添加该noexec选项;推荐的方法是在以下位置添加适当的条目/etc/fstab

tmpfs /dev/shm tmpfs nosuid,nodev,noexec 0 0

同样,这可能会破坏性能良好的软件。 (我希望这里涉及的任何安全指南或审计都能清楚地表明这一点。)

Systemd 支持 tmpfs |如何手动指定 /tmp 大小相关 systemd 文档的链接。具体可noexec参见中的讨论man file-hierarchy

相关内容