Ensure /dev/shm is configuredID: oval:org.secpod.oval:def:96540 | Date: (C)2024-01-09 (M)2024-01-09 |
Class: COMPLIANCE | Family: unix |
/dev/shm is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) can access. Mounting tmpfs at /dev/shm is handled automatically by systemd. Rationale: Any user can upload and execute files inside the /dev/shm similar to the /tmp partition. Configuring /dev/shm allows an administrator to set the noexec option on the mount, making /dev/shm useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated.