Profile Applicability:
• Level 1
Description:
The noexec mount option prevents execution of binaries on the mounted filesystem. Applying this option to /dev/shm mitigates the risk of running unauthorized or malicious executables from shared memory.
Rationale:
Setting the noexec option on /dev/shm reduces the chance that an attacker can execute malicious code from this temporary filesystem, enhancing system security.
Impact:
Pros:
Helps prevent execution of unauthorized binaries or scripts in /dev/shm.
Strengthens system defenses against execution-based attacks.
Cons:
Some applications may require execution privileges in /dev/shm, which could be affected.
Default Value:
The noexec option is not usually set on /dev/shm by default and should be explicitly configured.
Pre-requisites:
Root or sudo privileges to modify /etc/fstab and remount filesystems.
/dev/shm must be mounted as a separate tmpfs partition.
Remediation:
Test Plan:
Using Linux command line:
Check current mount options for /dev/shm:
mount | grep /dev/shm
Verify if noexec option is present in /etc/fstab for /dev/shm:
grep /dev/shm /etc/fstab
Expected output: Mount options for /dev/shm include noexec.
Implementation Plan:
Using Linux command line:
- Edit /etc/fstab to add noexec to /dev/shm mount options. Example:
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
Remount /dev/shm to apply new options without reboot:
mount -o remount,noexec /dev/shm
Verify mount options:
mount | grep /dev/shm
Backout Plan:
Using Linux command line:
Remove noexec from /dev/shm mount options in /etc/fstab.
Remount /dev/shm without noexec:
mount -o remount /dev/shm
Verify mount options:
mount | grep /dev/shm
References:
CIS Amazon Linux 2 Benchmark v3.0.0