CSF Warning Query

[DReade83]

I have the following warnings in my CSF Security Check screen:

/dev/shm isn't mounted with the noexec,nosuid options (currently: none). You should consider adding a mountpoint into /etc/fstab for /dev/shm with those options

The servers runlevel is currently set to 4. For a secure server environment you should only run the server at runlevel 3. You can fix this by editing /etc/inittab and changing the initdefault line to:
id:3:initdefault:
and then rebooting the server

I'm unsure about the first warning, but the second one I don't understand as the value it's asking me to change is already set to 'id:3:initdefault:' and the server has been rebooted too. Is this a bug?

Any help would be greatly appreciated.

Thanks in advance.

 

[mctDarren]

The first one means that you don't have /dev/shm mounted as noexec, nosuid. Anyone may be able to run anything in that directory as a result. If you load /etc/fstab in your favorite text editor you'll probably see that it says "defaults" on the /dev/shm line. Change that to "noexec, nosuid" and you'll see that error (and some worries) disappear.

The second one is strange. Is there a "#" at the start of the line. Or do you see that line again toward the end of the file with different settings? Were it my box, I would make the changes suggested, restart the machine and check /var/log/boot.log to see if you have anything funky happening on init. Do so at your own risk - my recommendation is to hire an admin to check over your machine for you if you're not sure what you're doing.

 

[nwilkens]

Or post your inittab and fstab here, and we will help you edit them.

Thanks,
Nick

 

[DReade83]

OK, I've done the 'fstab' one - thanks for that.

The 'inittab' file is as follows:

#
# inittab       This file describes how the INIT process should set up
#               the system in a certain run-level.
#
# Author:       Miquel van Smoorenburg, <[email protected]>
#               Modified for RHS Linux by Marc Ewing and Donnie Barnes
#

# Default runlevel. The runlevels used by RHS are:
#   0 - halt (Do NOT set initdefault to this)
#   1 - Single user mode
#   2 - Multiuser, without NFS (The same as 3, if you do not have networking)
#   3 - Full multiuser mode
#   4 - unused
#   5 - X11
#   6 - reboot (Do NOT set initdefault to this)
#
id:3:initdefault:

# System initialization.
si::sysinit:/etc/rc.d/rc.sysinit

l0:0:wait:/etc/rc.d/rc 0
l1:1:wait:/etc/rc.d/rc 1
l2:2:wait:/etc/rc.d/rc 2
l3:3:wait:/etc/rc.d/rc 3
l4:4:wait:/etc/rc.d/rc 4
l5:5:wait:/etc/rc.d/rc 5
l6:6:wait:/etc/rc.d/rc 6

# Trap CTRL-ALT-DELETE
ca::ctrlaltdel:/sbin/shutdown -t3 -r now

# When our UPS tells us power has failed, assume we have a few minutes
# of power left.  Schedule a shutdown for 2 minutes from now.
# This does, of course, assume you have powerd installed and your
# UPS connected and working correctly.
pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down"

# If power was restored before the shutdown kicked in, cancel it.
pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled"


# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6

# Run xdm in runlevel 5
x:5:respawn:/etc/X11/prefdm -nodaemon

 

[nwilkens]

runlevel

Your inittab appears OK, can you run 'who -r' on the command line?

You should receive output like:

# who -r
run-level 3 Feb 25 10:44 last=S

 

[DReade83]

Hmm, interesting:

run-level 4  Nov 21 18:14                   last=S

What could be causing that do you reckon?

 

[chirpy]

I would guess that it was set to run to runlevel 4 manually at the last reboot on the console.

 

[Denis Y. Frolov]

/etc/fstab:

/dev/hda3 / ext3 defaults,usrquota 1 1
/dev/hda1 /boot ext3 defaults 1 2
/dev/hda2 swap swap defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
tmpfs /dev/shm tmpfs noexec,nosuid 0 0
proc /proc proc defaults 0 0
sysfs /sys sysfs defaults 0 0

but I still have the following warning in my CSF Security Check screen:

/dev/shm isn't mounted with the noexec,nosuid options (currently: none). You should consider adding a mountpoint into /etc/fstab for /dev/shm with those options

 

[chirpy]

Did you remount /dev/shm:

mount -o remount /dev/shm

 

[Denis Y. Frolov]

Did you remount /dev/shm:

mount -o remount /dev/shm

thanks a lot))

 

[yamaharr1]

I am having this same problem after following this post and using mount -o remount /dev/shm it returns an error

line 5 in /etc/fstab is bad

So I changed it back here is what is in fstab:

This file is edited by fstab-sync - see 'man fstab-sync' for details
/dev/sda3 / ext3 defaults,usrquota 1 1
/dev/sda1 /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /dev/shm tmpfs defaults 0 0
none /proc proc defaults 0 0
none /sys sysfs defaults 0 0
/dev/sda2 swap swap defaults 0 0
/usr/tmpDSK /tmp ext3 defaults,noauto 0 0
/tmp /var/tmp ext3 defaults,bind,noauto 0 0

ANyone know what I should do?