Securing mount points on Linux

Mount points are defined in /etc/fstab. They link a particular disk pointer to the related device (disk, partition or virtual device). By default the mount options are not focused on security, which gives us a room to further improve hardening of the system. This hardening is especially important considering our most precious data is stored here. Via mount options we can apply additional security controls to protect our data.

Mount point example

Let’s have a look at our /etc/fstab file.

Example output:

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0

In the options column, the related mount options are defined. In this particular case it has “defaults” for /proc, meaning the options rw, suid, dev, exec, auto, nouser, and async are set.

Mount options

When looking at the options, here are a few common values:

Mount optionMeaning
rwRead and write allowed
autoMount automatically
nouserDo not allow a user to mount the file system
asyncAsynchronous saving of data, to improve performance

Since this is a virtual file system, which has no user data or binaries stored, we leave it with the defaults option.

Mount options for hardening

Regarding the remaining options (suid, dev, exec), we will have a look at their “negative” opposites, to show how we can apply them to harden the system.

nodev

This option describes that device files are not allowed, like block or character devices. Normally these are only found under /dev and not seen on other mount points. Most mount points will work correctly when these are disabled, with the root file system as an exception.

Useful for: /boot /dev/shm /home /tmp /var and data partitions

Not suitable for: root (/)

noexec

With this option set, binaries can’t be directly executed.

Useful for: /boot /dev/shm /var and data partitions.

Not suitable for: root (/), /home (when using steam, wine or development) and /tmp (e.g. compiling applications might break)

nosuid

Do not use set-user-identifier (SETUID) or set-group-identifier (SETGID) bits to take effect. These bits are set with chmod (u+s, g+s) or unset (u-s, g-s) to allow a binary running under a specific user, which is not the active user itself. For example, to allow a normal user to run the ping command with root privileges. This is needed to allow opening a socket.

Useful for: /boot /dev/shm /home /tmp /var and data partitions

Not suitable for: root (/)

Apply system hardening

To harden mount points, replace the defaults entry and add the related options to the related field. When applying multiple options, separate them with a comma.

Take the next step!

Want to learn more about Linux security? Have a look at the open source tool Lynis and become a Linux security expert yourself.

Lynis is a battle-tested technical security audit tool. It is open source, freely available, and used by system administrators all over the world. Other users include IT auditors, security professionals, like pentesters.

Tool Information

Visit project page
Screenshot of Lynis security tool