1.1.3 Ensure noexec option set on /tmp partition

Information

The noexec mount option specifies that the filesystem cannot contain executable binaries.

Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp

Solution

Edit the /etc/fstab file OR the /etc/systemd/system/local-fs.target.wants/tmp.mount file:

IF /etc/fstab is used to mount /tmp

Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information.

Run the following command to remount /tmp :

# mount -o remount,noexec /tmp

OR

If an explicit systemd target is used to mount /tmp :

Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp mount options:

[Mount]
Options=mode=1777,strictatime,noexec,nodev,nosuid

Run the following command to restart the systemd daemon:

# systemctl daemon-reload

Run the following command to restart tmp.mount

# systemctl restart tmp.mount

See Also

https://workbench.cisecurity.org/files/3682

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|2.6

Plugin: Unix

Control ID: 6fc001e12d8bca44a9697e12448e4954ce64069a1403e45a4c5365ecf4cb008e