Profile Applicability:
• Level 1
Description:
The noexec mount option prevents execution of binaries on the mounted filesystem. Applying this option to /var/log/audit mitigates the risk of executing unauthorized or malicious binaries from the audit log directory.
Rationale:
Setting the noexec option on /var/log/audit reduces the attack surface by disallowing execution of binaries, helping to protect the system from code execution attacks originating from this partition.
Impact:
Pros:
Prevents execution of unauthorized binaries in /var/log/audit.
Enhances system security posture.
Cons:
May affect applications or scripts that require execution permissions in /var/log/audit (rare).
Default Value:
The noexec option is generally not set on /var/log/audit unless explicitly configured.
Pre-requisites:
Root or sudo privileges to modify /etc/fstab and remount filesystems.
/var/log/audit must be mounted as a separate partition.
Remediation:
Test Plan:
Using Linux command line:
Check current mount options for /var/log/audit:
mount | grep /var/log/audit
Verify if noexec is present in /etc/fstab for /var/log/audit:
grep /var/log/audit /etc/fstab
Expected output: Mount options for /var/log/audit include noexec.
Implementation Plan:
Using Linux command line:
- Edit /etc/fstab to add noexec to mount options for /var/log/audit. Example:
/dev/<partition> /var/log/audit ext4 defaults,nodev,nosuid,noexec 0 0
Remount /var/log/audit with new options:
mount -o remount,noexec /var/log/audit
Verify mount options:
mount | grep /var/log/audit
Backout Plan:
Using Linux command line:
Remove noexec from /var/log/audit mount options in /etc/fstab.
Remount /var/log/audit without noexec:
mount -o remount /var/log/audit
Verify mount options:
mount | grep /var/log/audit
References:
CIS Amazon Linux 2 Benchmark v3.0.0