Detections
Analytics

1.1.2.7.4 Ensure noexec option set on /var/log/audit partition

Information

The noexec mount option specifies that the filesystem cannot contain executable binaries.

Since the /var/log/audit filesystem is only intended for audit logs, set this option to ensure that users cannot run executable binaries from /var/log/audit.

Solution

- IF - a separate partition exists for /var/log/audit.

Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log/audit partition.

Example:

<device> /var/log/audit <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0

Run the following command to remount /var/log/audit with the configured options:

# mount -o remount /var/log/audit

See Also

https://workbench.cisecurity.org/benchmarks/24330

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|CM-7(2), 800-53|MP-2, CSCv7|14.6, Rule-ID|SV-230519r958804_rule, Rule-ID|SV-257874r958804_rule, STIG-ID|RHEL-08-040131, STIG-ID|RHEL-09-231165

Plugin: Unix

Control ID: 50c65f22d978a642d7bbc6ac89db867a4e857f26713900283749dc1eebe01ed7