Add noexec Option to /var/tmp

Description

The noexec mount option can be used to prevent binaries from being executed out of /var/tmp. Add the noexec option to the list of Options in the systemd.mount unit that controls mounting of /var/tmp.

Rationale

Allowing users to execute binaries from world-writable directories such as /var/tmp should never be necessary in normal operation and can expose the system to potential compromise.

ID: xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec
Severity: Medium
References: BP28(R12)

CCI-001764

SRG-OS-000368-GPOS-00154

CCE-82866-5
Updated: about 1 year ago