Add noexec Option to Removable Media Partitions
Description
The noexec mount option prevents the direct execution of binaries
on the mounted filesystem. Preventing the direct execution of binaries from
removable media (such as a USB key) provides a defense against malicious
software that may be present on such untrusted media.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions.
Rationale
Allowing users to execute binaries from removable media such as USB keys exposes
the system to potential compromise.
Shell script
The following script can be run on the host to remediate the issue.
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
var\_removable\_partition=''
device\_regex="^\s\*$var\_removable\_partition\s\+"
mount\_option="noexec"
if grep -q $device\_regex /etc/fstab ; then
previous\_opts=$(grep $device\_regex /etc/fstab | awk '{print $4}')
sed -i "s|\($device\_regex.\*$previous\_opts\)|\1,$mount\_option|" /etc/fstab
else
echo "Not remediating, because there is no record of $var\_removable\_partition in /etc/fstab" >&2
return 1
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: XCCDF Value var\_removable\_partition # promote to variable
set\_fact:
var\_removable\_partition: !!str
tags:
- always
- name: Ensure permission noexec are set on var\_removable\_partition
lineinfile:
path: /etc/fstab
regexp: ^\s\*({{ var\_removable\_partition }})\s+([^\s]\*)\s+([^\s]\*)\s+([^\s]\*)(.\*)$
backrefs: true
line: \1 \2 \3 \4,noexec \5
when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80147-2
- NIST-800-53-AC-6
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- NIST-800-53-MP-7
- configure\_strategy
- high\_disruption
- low\_complexity
- medium\_severity
- mount\_option\_noexec\_removable\_partitions
- no\_reboot\_needed
