Securing mount points on Linux

Securing mount points

Mount points are defined in /etc/fstab. They link a particular disk pointer to the related device (disk, partition or virtual device). By default the mount options are not focused on security, which gives us a room to further improve hardening of the system. This hardening is especially important considering our most precious data is stored here. Via mount options we can apply additional security controls to protect our data.

Mount points

Let’s have a look at our /etc/fstab file.

Example output:

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0

In the options column, the related mount options are defined. In this particular case it has “defaults” for /proc, meaning the options rw, suid, dev, exec, auto, nouser, and async are set.

  • rw = read write
  • auto = mount automatically
  • nouser = do not allow a user to mount the file system
  • async = asynchronous saving of data, to improve performance

Since this is a virtual file system, which has no user data or binaries stored, we leave it with the defaults option.

Regarding the remaining options (suid, dev, exec), we will have a look at their “negative” opposites, to show how we can apply them to harden the system.

nodev

This option describes that device files are not allowed, like block or character devices. Normally these are only found under /dev and not seen on other mount points. Most mount points will work correctly when these are disabled, with the root file system as an exception.

Useful for: /boot /dev/shm /home /tmp /var and data partitions

Not suitable for: root (/)

noexec

With this option set, binaries can’t be directly executed.

Useful for: /boot /dev/shm /var and data partitions.

Not suitable for: root (/), /home (when using steam, wine or development) and /tmp (e.g. compiling applications might break)

nosuid

Do not use set-user-identifier (SETUID) or set-group-identifier (SETGID) bits to take effect. These bits are set with chmod (u+s, g+s) or unset (u-s, g-s) to allow a binary running under a specific user, which is not the active user itself. For example, to allow a normal user to run the ping command with root privileges. This is needed to allow opening a socket.

Useful for: /boot /dev/shm /home /tmp /var and data partitions

Not suitable for: root (/)

Apply system hardening

To harden mount points, replace the defaults entry and add the related options to the related field. When applying multiple options, separate them with a comma.

 

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


Leave a Reply

Your email address will not be published. Required fields are marked *