Profile Applicability:
• Level 1
Description:
The noexec mount option prevents execution of binaries on the mounted filesystem. Applying this option to /var/tmp mitigates the risk of running unauthorized or malicious executables from this temporary directory.
Rationale:
Setting the noexec option on /var/tmp reduces the risk that attackers can execute malicious code from this partition, enhancing overall system security.
Impact:
Pros:
Helps prevent execution of unauthorized binaries or scripts in /var/tmp.
Strengthens system defenses against execution-based attacks.
Cons:
Some applications may require execution privileges in /var/tmp, which could be affected.
Default Value:
The noexec option is not usually set on /var/tmp by default and should be explicitly configured.
Pre-requisites:
Root or sudo privileges to modify /etc/fstab and remount filesystems.
/var/tmp must be mounted as a separate partition.
Remediation:
Test Plan:
Using Linux command line:
Check current mount options for /var/tmp:
mount | grep /var/tmp
Verify if noexec is present in /etc/fstab for /var/tmp:
grep /var/tmp /etc/fstab
Expected output: Mount options for /var/tmp include noexec.
Implementation Plan:
Using Linux command line:
- Edit /etc/fstab to add noexec to /var/tmp mount options. Example:
/dev/<partition> /var/tmp ext4 defaults,nodev,nosuid,noexec 0 0
Remount /var/tmp with new options without reboot:
mount -o remount,noexec /var/tmp
Verify mount options:
mount | grep /var/tmp
Backout Plan:
Using Linux command line:
Remove noexec from /var/tmp mount options in /etc/fstab.
Remount /var/tmp without noexec:
mount -o remount /var/tmp
Verify mount options:
mount | grep /var/tmp
References:
CIS Amazon Linux 2 Benchmark v3.0.0