GEN002420-ESXI5-00878 - Removable media, remote file systems, and any file system that does not contain approved setuid files must be mounted with the nosuid option.

Information

The 'nosuid' mount option causes the system to not execute setuid files with owner privileges. This option must be used for mounting any file system that does not contain approved setuid files. Executing setuid files from untrusted file systems, or file systems that do not contain approved setuid files, increases the opportunity for unprivileged users to attain unauthorized administrative access.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the host. Edit /etc/fstab and add the nosuid mount option to all file systems mounted from removable media or network shares, and any file system not containing approved setuid or setgid files. Re-enable Lockdown Mode on the host.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_ESXi5_Server_V2R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Group-ID|V-39422, Rule-ID|SV-250583r798748_rule, STIG-ID|GEN002420-ESXI5-00878, STIG-Legacy|SV-51280, STIG-Legacy|V-39422, Vuln-ID|V-250583

Plugin: VMware

Control ID: 3c776ce511fc4278270388431214d303af71eddfd86c7d81f10a4e1fde208929