7 ## Disable all file systems not needed
9 To reduce the attack surface, file system data is parsed by the kernel, so any
10 logic bugs in file system drivers can become kernel exploits.
12 ### Disable NFS file system
14 NFS FileSystems are useful during development phases, but this can be a very
15 helpful way for an attacker to get files when you are in production mode, so we
18 <!-- section-config -->
20 Domain | `Config` name | `Value`
21 ------------------------ | --------------- | -------
22 Kernel-FileSystems-NFS-1 | `CONFIG_NFSD` | `n`
23 Kernel-FileSystems-NFS-2 | `CONFIG_NFS_FS` | `n`
25 <!-- end-section-config -->
27 --------------------------------------------------------------------------------
31 ## Partition Mount Options
33 There are several security restrictions that can be set on a filesystem when it
34 is mounted. Some common security options include, but are not limited to:
36 `nosuid` - Do not allow set-user-identifier or set-group-identifier bits to take
39 `nodev` - Do not interpret character or block special devices on the filesystem.
41 `noexec` - Do not allow execution of any binaries on the mounted filesystem.
43 `ro` - Mount filesystem as read-only.
45 The following flags shall be used for mounting common filesystems:
47 <!-- section-config -->
49 Domain | `Partition` | `Value`
50 -------------------------- | ------------------- | -----------------------------------------------------------------
51 Kernel-FileSystems-Mount-1 | `/boot` | `nosuid`, `nodev` and `noexec`.
52 Kernel-FileSystems-Mount-2 | `/var` & `/tmp` | In `/etc/fstab` or `vfstab`, add `nosuid`, `nodev` and `noexec`.
53 Kernel-FileSystems-Mount-3 | _Non-root local_ | If type is `ext2` or `ext3` and mount point not '/', add `nodev`.
54 Kernel-FileSystems-Mount-4 | _Removable storage_ | Add `nosuid`, `nodev` and `noexec`.
55 Kernel-FileSystems-Mount-5 | _Temporary storage_ | Add `nosuid`, `nodev` and `noexec`.
56 Kernel-FileSystems-Mount-6 | `/dev/shm` | Add `nosuid`, `nodev` and `noexec`.
57 Kernel-FileSystems-Mount-7 | `/dev` | Add `nosuid` and `noexec`.
59 <!-- end-section-config --> <!-- section-note -->
61 If `CONFIG_DEVTMPFS_MOUNT` is set, then the kernel will mount /dev and will not
62 apply the `nosuid`, `noexec` options. Either disable `CONFIG_DEVTMPFS_MOUNT` or
63 add a remount with `noexec` and `nosuid` options to system startup.
65 <!-- end-section-note --> <!-- section-config -->
67 Domain | `Config` name | _State_ or `Value`
68 -------------------------- | ----------------------- | -----------------------------------------------------------------------
69 Kernel-FileSystems-Mount-1 | `CONFIG_DEVTMPFS_MOUNT` | _Disabled_ or add remount with `noexec` and `nosuid` to system startup.
71 <!-- end-section-config -->