Profile Applicability:
• Level 1
Description:
The noexec mount option prevents execution of binaries on the mounted filesystem. Applying this option to /var/log mitigates the risk of executing unauthorized or malicious binaries from the log directory.
Rationale:
Setting the noexec option on /var/log reduces the risk that attackers can execute malicious code from this partition, strengthening system security.
Impact:
Pros:
Helps prevent execution of unauthorized binaries or scripts in /var/log.
Enhances overall security posture.
Cons:
Some applications or services might require execution privileges in /var/log, which could be impacted.
Default Value:
The noexec option is typically not set on /var/log unless explicitly configured.
Pre-requisites:
Root or sudo privileges to modify /etc/fstab and remount filesystems.
/var/log must be mounted as a separate partition.
Remediation:
Test Plan:
Using Linux command line:
Check current mount options for /var/log:
mount | grep /var/log
Verify if noexec is included in /etc/fstab for /var/log:
grep /var/log /etc/fstab
Expected output: Mount options for /var/log include noexec.
Implementation Plan:
Using Linux command line:
- Edit /etc/fstab to add noexec to /var/log mount options. Example:
/dev/<partition> /var/log ext4 defaults,nodev,nosuid,noexec 0 0
Remount /var/log with new options:
mount -o remount,noexec /var/log
Verify mount options:
mount | grep /var/log
Backout Plan:
Using Linux command line:
Remove noexec from /var/log mount options in /etc/fstab.
Remount /var/log without noexec:
mount -o remount /var/log
Verify mount options:
mount | grep /var/log
References:
CIS Amazon Linux 2 Benchmark v3.0.0