1.1.17 Ensure noexec option set on /dev/shm partition (Scored)

Level 1 - Server 
Level 1 - Workstation

The noexec mount option specifies that the filesystem cannot contain executable binaries.

Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system.

Run the following command and verify that the noexec option is set on /dev/shm.

# mount | grep /dev/shm 
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)

Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.
Run the following command to remount /dev/shm:

# mount -o remount,noexec /dev/shm

/dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab:

tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
  • centos7/1/1/17.txt
  • Last modified: 2017/05/05 21:22
  • by Piotr K┼éoczewski