Good Idea / Bad Idea - /dev/shm with nosuid, nodev, and noexec
Steve Alligood
steve at betterlinux.com
Fri Jul 27 18:07:47 MDT 2012
I have seen multiple script kiddies try to hide stuff in /dev/shm due to it generally being available and allowing executables. No exec is a good idea, though I would test any important apps before doing production that way.
On a side note, the best deterrent I have found for script kiddies was to lock down outbound connections to only specifically what you need. If they cannot connect out, the server becomes a lot less desirable. Of course, keeping them out in the first place is best, but you cannot always control that with other users that can run whatever they want to.
-Steve
Sent from my iPhone
On Jul 27, 2012, at 5:38 PM, Joshua Marsh <joshua at themarshians.com> wrote:
> On Fri, Jul 27, 2012 at 5:05 PM, Jacob Albretsen <jakea at xmission.com> wrote:
>
>> I am hardening some CentOS 5 and 6 boxes, and one of the recommendations
>> I'm
>> reading is to mount /dev/shm with nosuid, nodev, and noexec. I've read
>> about
>> what /dev/shm is, but I lack a deeper understanding. I've seen some things
>> online talking about it, but nothing concrete as to why it's a good idea
>> other
>> than "it's more secure". Can anyone enlighten me more about this? I don't
>> want to run into any unintended issues down the road (will XYZ services
>> still
>> work, can I still run VMs, etc etc)
>>
>>
More information about the PLUG
mailing list