Add noexec Option to Removable Media Partitions
An XCCDF Rule
Description
The noexec
mount option prevents the direct execution of binaries
on the mounted filesystem. Preventing the direct execution of binaries from
removable media (such as a USB key) provides a defense against malicious
software that may be present on such untrusted media.
Add the noexec
option to the fourth column of
/etc/fstab
for the line which controls mounting of
any removable media partitions.
Rationale
Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.
- ID
- xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: XCCDF Value var_removable_partition # promote to variable
set_fact:
var_removable_partition: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_removable_partition" use="legacy"/>
tags:
- always
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
var_removable_partition='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_removable_partition" use="legacy"/>'