Skip to content

Add noexec Option to /var/log/audit

An XCCDF Rule

Description

The noexec mount option can be used to prevent binaries from being executed out of /var/log/audit. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.

Rationale

Allowing users to execute binaries from directories containing audit log files such as /var/log/audit should never be necessary in normal operation and can expose the system to potential compromise.

ID
xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec
Severity
Medium
References
Updated



Remediation - Anaconda Pre-Install Instructions


part /var/log/audit --mountoptions="noexec"

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/log/audit" > /dev/null || findmnt --fstab "/var/log/audit" > /dev/null ); then

function perform_remediation {
    
        # the mount point /var/log/audit has to be defined in /etc/fstab

Remediation - Ansible

- name: 'Add noexec Option to /var/log/audit: Check information associated to mountpoint'
  command: findmnt --fstab '/var/log/audit'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",