Secure Mount Points
Use mount options to help prevent intruders from further escalating a compromise.
The primary way of interacting with a Unix machine is through its filesystem. Thus, when an intruder has gained access to a system, it is desirable to limit what he can do with the files available to him. One way to accomplish this is with the use of restrictive mount options.
A mount option is a flag that controls how the
filesystem may be accessed. It is passed to the operating system
kernel’s code when the filesystem is brought online.
Mount options can be used to prevent files from being interpreted as
device nodes, to disallow
binaries from being
executed, and to disallow the SUID bit from taking affect (by using
the nodev
,
noexec, and nosuid flags).
Filesystems can also be mounted read-only with the
ro option.
These options are specified from the command line by running
mount with the -o flag. For
example, if you have a separate partition for
/tmp that is on the third partition of your
first IDE hard disk, you can mount with the nodev,
noexec, and nosuid flags, which
are enabled by running the following command:
# mount -o nodev,noexec,nosuid /dev/hda3 /tmpAn equivalent entry in your /etc/fstab would
look something like this:
/dev/hda3 /tmp ext3 defaults,nodev,noexec,nosuid 1 2
By carefully considering your requirements and dividing up your storage into multiple filesystems, you can utilize these mount options to increase the work that an attacker will have to do in order to ...