1.1.6.2 Ensure noexec option set on /var/log/audit partition

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The noexec mount option specifies that the filesystem cannot contain executable binaries.

Rationale:

Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit.

Solution

Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition.
Example:

<device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0

Run the following command to remount /var/log/audit with the configured options:

# mount -o remount /var/log/audit

See Also

https://workbench.cisecurity.org/files/3939