1.1.17 Ensure noexec option set on /dev/shm partition (Scored)
Profile Applicability
Level 1 - Server Level 1 - Workstation
Description
The noexec
mount option specifies that the filesystem cannot contain executable binaries.
Rationale
Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system.
Audit
Run the following command and verify that the noexec option is set on /dev/shm.
# mount | grep /dev/shm tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
Remediation
Edit the /etc/fstab
file and add noexec
to the fourth field (mounting options) for the /dev/shm
partition. See the fstab(5)
manual page for more information.
Run the following command to remount /dev/shm
:
# mount -o remount,noexec /dev/shm
Impact
/dev/shm
is not specified in /etc/fstab
despite being mounted by default. The following line will implement the recommended /dev/shm
mount options in /etc/fstab
:
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0