File System

Disable all file systems not needed

To reduce the attack surface, file system data is parsed by the kernel, so any logic bugs in file system drivers can become kernel exploits.

Disable NFS file system

NFS FileSystems are useful during development phases, but this can be a very helpful way for an attacker to get files when you are in production mode, so we must disable them.

Domain Config name Value
Kernel-FileSystems-NFS-1 CONFIG_NFSD n
Kernel-FileSystems-NFS-2 CONFIG_NFS_FS n

Partition Mount Options

There are several security restrictions that can be set on a filesystem when it is mounted. Some common security options include, but are not limited to:

nosuid - Do not allow set-user-identifier or set-group-identifier bits to take effect.

nodev - Do not interpret character or block special devices on the filesystem.

noexec - Do not allow execution of any binaries on the mounted filesystem.

ro - Mount filesystem as read-only.

The following flags shall be used for mounting common filesystems:

Domain Partition Value
Kernel-FileSystems-Mount-1 /boot nosuid, nodev and noexec.
Kernel-FileSystems-Mount-2 /var & /tmp In /etc/fstab or vfstab, add nosuid, nodev and noexec.
Kernel-FileSystems-Mount-3 Non-root local If type is ext2 or ext3 and mount point not ‘/’, add nodev.
Kernel-FileSystems-Mount-4 Removable storage Add nosuid, nodev and noexec.
Kernel-FileSystems-Mount-5 Temporary storage Add nosuid, nodev and noexec.
Kernel-FileSystems-Mount-6 /dev/shm Add nosuid, nodev and noexec.
Kernel-FileSystems-Mount-7 /dev Add nosuid and noexec.

If CONFIG_DEVTMPFS_MOUNT is set, then the kernel will mount /dev and will not apply the nosuid, noexec options. Either disable CONFIG_DEVTMPFS_MOUNT or add a remount with noexec and nosuid options to system startup.

Domain Config name State or Value
Kernel-FileSystems-Mount-1 CONFIG_DEVTMPFS_MOUNT Disabled or add remount with noexec and nosuid to system startup.