Add noexec Option to Removable Media Partitions

Classification:

compliance

Framework:

Control:

Description

The noexec mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binaries from removable media (such as a USB key) provides a defense against malicious software that may be present on such untrusted media. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of

any removable media partitions.

Rationale

Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var\_removable\_partition=''


device\_regex="^\s\*$var\_removable\_partition\s\+"
mount\_option="noexec"

if grep -q $device\_regex /etc/fstab ; then
 previous\_opts=$(grep $device\_regex /etc/fstab | awk '{print $4}')
 sed -i "s|\($device\_regex.\*$previous\_opts\)|\1,$mount\_option|" /etc/fstab
else
 echo "Not remediating, because there is no record of $var\_removable\_partition in /etc/fstab" >&2
 return 1
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: XCCDF Value var\_removable\_partition # promote to variable
 set\_fact:
 var\_removable\_partition: !!str 
 tags:
 - always

- name: Ensure permission noexec are set on var\_removable\_partition
 lineinfile:
 path: /etc/fstab
 regexp: ^\s\*({{ var\_removable\_partition }})\s+([^\s]\*)\s+([^\s]\*)\s+([^\s]\*)(.\*)$
 backrefs: true
 line: \1 \2 \3 \4,noexec \5
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-80147-2
 - NIST-800-53-AC-6
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - NIST-800-53-CM-7(a)
 - NIST-800-53-CM-7(b)
 - NIST-800-53-MP-7
 - configure\_strategy
 - high\_disruption
 - low\_complexity
 - medium\_severity
 - mount\_option\_noexec\_removable\_partitions
 - no\_reboot\_needed