====== 1.1.5 Ensure noexec option set on /tmp partition (Scored) ======
=====Profile Applicability=====  
<code>
Level 1 - Server 
Level 1 - Workstation
</code>
=====Description=====
The ''noexec'' mount option specifies that the filesystem cannot contain executable binaries.
=====Rationale=====
Since the ''/tmp'' filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from ''/tmp''.
=====Audit===== 
If a ''/tmp'' partition exists run the following command and verify that the ''noexec'' option is set on ''/tmp'':
<Code:bash>
# mount | grep /tmp 
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)
</Code>
=====Remediation===== 
Edit ''/etc/systemd/system/local-fs.target.wants/tmp.mount'' to add ''noexec'' to the ''/tmp'' mount options:
<Code:bash>
[Mount] 
Options=mode=1777,strictatime,noexec,nodev,nosuid
</Code>
Run the following command to remount ''/tmp'':
<Code:bash>
# mount -o remount,noexec /tmp
</Code>
=====Notes===== 
''systemd'' includes the ''tmp.mount'' service which should be used instead of configuring ''/etc/fstab''. Mounting options are configured in the Options setting in ''/etc/systemd/system/tmp.mount''.