Add noexec Option to /var/log/audit

An XCCDF Rule

Details
Profiles
Prose

Description

The noexec mount option can be used to prevent binaries from being executed out of /var/log/audit. Add the noexec option to the list of Options in the systemd.mount unit that controls mounting of /var/log/audit.

Rationale

Allowing users to execute binaries from directories containing audit log files such as /var/log/audit should never be necessary in normal operation and can expose the system to potential compromise.

ID: xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec
Severity: Medium
References: CCI-001764

CIP-003-8 R5.1.1 CIP-003-8 R5.3 CIP-004-6 R2.3 CIP-007-3 R2.1 CIP-007-3 R2.2 CIP-007-3 R2.3 CIP-007-3 R5.1 CIP-007-3 R5.1.1 CIP-007-3 R5.1.2

AC-6 AC-6(1) CM-6(a) CM-7(a) CM-7(b) MP-7

PR.IP-1 PR.PT-2 PR.PT-3

SRG-OS-000368-GPOS-00154
Updated: about 1 year ago