DISA STIGS Viewer

AlmaLinux OS 9 must mount /var/log/audit with the nodev option.

Overview

Finding ID Version Rule ID IA Controls Severity
V-269320 ALMA-09-027190 SV-269320r1050202_rule   Medium
Description
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
STIG Date
CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide 2025-05-22

Details

Check Text (C-73351r1048336_chk)
Verify "/var/log/audit" is mounted with the "nodev" option:

$ mount | grep /var/log/audit

/dev/mapper/luks-29b74747-2f82-4472-82f5-0b5eb763effc on /var/log/audit type xfs (rw,nosuid,nodev,noexec,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)

If the "/var/log/audit" file system is mounted without the "nodev" option, this is a finding.
Fix Text (F-73252r1048337_fix)
Modify "/etc/fstab" to use the "nodev" option on the "/var/log/audit" directory.