Add noexec Option to /home

An XCCDF Rule

Description

The noexec mount option can be used to prevent binaries from being executed out of /home. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /home.

warning alert: Functionality Warning

OVAL looks for partitions whose mount point is a substring of any interactive user's home directory and validates that noexec option is there. Because of this, there could be false negatives when several partitions share a base substring. For example, if there is a home directory in /var/tmp/user1 and there are partitions mounted in /var and /var/tmp. The noexec option is only expected in /var/tmp, but OVAL will check both.
Bash remediation uses the df command to find out the partition where the home directory is mounted. However, if the directory doesn't exist the remediation won't be applied.

Rationale

The /home directory contains data of individual users. Binaries in this directory should not be considered as trusted and users should not be able to execute them.

ID: xccdf_org.ssgproject.content_rule_mount_option_home_noexec
Severity: Medium
References: BP28(R12)

CCI-000366

CM-6(b)

SRG-OS-000480-GPOS-00227

OL08-00-010590

SV-248620r779426_rule
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation (){

    mount_point_match_regexp="$(printf "^[[:space:]]*[^#].*[[:space:]]%s[[:space:]]" $1)"
    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if ! grep -q "$mount_point_match_regexp" /etc/fstab; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        # In iso9660 filesystems mtab could describe a "blocksize" value, this should be reflected in
        # fstab as "block".  The next variable is to satisfy shellcheck SC2050.
        fs_type=""
        if [  "$fs_type" == "iso9660" ] ; then
            previous_mount_opts=$(sed 's/blocksize=/block=/' <<< "$previous_mount_opts")
        fi
        echo " $1  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif ! grep "$mount_point_match_regexp" /etc/fstab | grep -q "noexec"; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
    fi

    if mkdir -p "$1"; then
        if mountpoint -q "$1"; then
            mount -o remount --target "$1"
        fi
    fi
}

readarray -t home_directories  < \
    <(awk -F':' '{if ($3>=1000 && $3!= 65534) print $6}' /etc/passwd )


for home_directory in "${home_directories[@]}"
do
    if [ -d $home_directory ]; then
        fstab_mount_point=$(df $home_directory | awk '/^\/dev/ {print $6}')
        if  ! grep -qP "^/$|^/lib$|^/opt$|^/usr$|^/bin$|^/sbin$|^/boot$|^/dev$|^/proc$" <<< $fstab_mount_point
        then
            perform_remediation "$fstab_mount_point"
        fi
    fi
done

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Add noexec Option to /home

Description

Rationale

Remediation - Shell Script