1.1.3 Ensure noexec option set on /tmp partition

Information

The noexec mount option specifies that the filesystem cannot contain executable binaries.

Rationale:

Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp .

Solution

Edit the /etc/fstab file OR the /etc/systemd/system/local-fs.target.wants/tmp.mount file:


If /etc/fstab is used to mount /tmp


Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information.
Run the following command to remount /tmp :

# mount -o remount,noexec /tmp

OR


If an explicit systemd target is used to mount /tmp:


Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp mount options:

[Mount]
Options=mode=1777,strictatime,noexec,nodev,nosuid

Run the following command to restart the systemd daemon:

# systemctl daemon-reload

Run the following command to restart tmp.mount

# systemctl restart tmp.mount

Additional Information:

These remediation steps are based on following the remediation guidance in item 1.1.2.

If a different file name was used that name should replace tmp.mount in the path /etc/systemd/system/local-fs.target.wants/tmp.mount

The contents of /etc/systemd/system/local-fs.target.wants should exist as a symlink to the file created in /etc/systemd/system.

If the path /etc/systemd/system/local-fs.target.wants/tmp.mount does not exist this could indicate that the remediation steps from 1.1.2 were not completed successfully.

See Also

https://workbench.cisecurity.org/files/3682

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|2.6

Plugin: Unix

Control ID: 01eb5fd3077970e1787a081d68261494477ce2ef9ce3b50a39886997e344c0eb