1.1.5.3 Ensure noexec option set on /var/log partition

Information

The noexec mount option specifies that the filesystem cannot contain executable binaries.

Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log

Solution

IF the /var/log partition exists, edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/log partition.

Example:

<device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0

Run the following command to remount /var/log with the configured options:

# mount -o remount /var/log

See Also

https://workbench.cisecurity.org/benchmarks/13007

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 9958b1f7a09cf3dcec14dd345d0e27729efbf0fca9006c40a337660852922025