Securing mount points on Linux
Mount points are defined in /etc/fstab. They link a particular disk pointer to the related device (disk, partition or virtual device). By default the mount options are not focused on security, which gives us a room to further improve hardening of the system. This hardening is especially important considering our most precious data is stored here. Via mount options we can apply additional security controls to protect our data.
Mount point example
Let’s have a look at our /etc/fstab file.
Example output:
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
In the options column, the related mount options are defined. In this particular case it has “defaults” for /proc, meaning the options rw, suid, dev, exec, auto, nouser, and async are set.
Mount options
When looking at the options, here are a few common values:
| Mount option | Meaning |
|---|---|
| rw | Read and write allowed |
| auto | Mount automatically |
| nouser | Do not allow a user to mount the file system |
| async | Asynchronous saving of data, to improve performance |
Since this is a virtual file system, which has no user data or binaries stored, we leave it with the defaults option.
Mount options for hardening
Regarding the remaining options (suid, dev, exec), we will have a look at their “negative” opposites, to show how we can apply them to harden the system.
nodev
This option describes that device files are not allowed, like block or character devices. Normally these are only found under /dev and not seen on other mount points. Most mount points will work correctly when these are disabled, with the root file system as an exception.
Useful for: /boot /dev/shm /home /tmp /var and data partitions
Not suitable for: root (/)
noexec
With this option set, binaries can’t be directly executed.
Useful for: /boot /dev/shm /var and data partitions.
Not suitable for: root (/), /home (when using steam, wine or development) and /tmp (e.g. compiling applications might break)
nosuid
Do not use set-user-identifier (SETUID) or set-group-identifier (SETGID) bits to take effect. These bits are set with chmod (u+s, g+s) or unset (u-s, g-s) to allow a binary running under a specific user, which is not the active user itself. For example, to allow a normal user to run the ping command with root privileges. This is needed to allow opening a socket.
Useful for: /boot /dev/shm /home /tmp /var and data partitions
Not suitable for: root (/)
Apply system hardening
To harden mount points, replace the defaults entry and add the related options to the related field. When applying multiple options, separate them with a comma.
