Profile Applicability:
 • Level 1

Description:
 The noexec mount option prevents execution of binaries on the mounted filesystem. Applying this option to /tmp mitigates the risk of executing unauthorized or malicious binaries from the temporary directory.

Rationale:
 Setting the noexec option on /tmp reduces the risk of execution-based attacks by disallowing executable files to run from /tmp.

Impact:
 Pros:

  • Helps prevent execution of malicious scripts or binaries from /tmp.

  • Enhances system security by restricting executable code in temporary storage.

Cons

  • Some applications may require execution privileges in /tmp, which could break functionality.

Default Value:
 By default, the noexec option is not usually set on /tmp unless configured explicitly.

Pre-requisites:

  • Root or sudo privileges to modify /etc/fstab and remount filesystems.

  • /tmp must be mounted as a separate partition.

Remediation:

Test Plan:

Using Linux command line:

  1. Check current mount options on /tmp:

     mount | grep /tmp

  2. Verify if noexec option is present in /etc/fstab for /tmp:

    grep /tmp /etc/fstab
    Expected output: Mount options for /tmp include noexec.


Implementation Plan:

Using Linux command line:

  1. Edit /etc/fstab to add noexec to /tmp mount options. For example:
    /dev/<partition>  /tmp  ext4  defaults,nodev,nosuid,noexec  0  0


  2. Remount /tmp to apply the new option without reboot:

     mount -o remount,noexec /tmp


  3. Verify mount options again:

     mount | grep /tmp


Backout Plan:

Using Linux command line:

  1. Remove noexec from /tmp mount options in /etc/fstab.

  2. Remount /tmp without noexec:

     mount -o remount /tmp

  3. Verify mount options:

    mount | grep /tmp


References: