The noexec option must be added to removable media partitions.

From Oracle Linux 6 Security Technical Implementation Guide

Part of SRG-OS-000035

Associated with: CCI-000087

SV-65055r1_rule The noexec option must be added to removable media partitions.

Vulnerability discussion

Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.

Check content

To verify that binaries cannot be directly executed from removable media, run the following command: # grep noexec /etc/fstab The output should show "noexec" in use. If it does not, this is a finding.

Fix text

The "noexec" mount option prevents the direct execution of binaries on the mounted filesystem. Users should not be allowed to execute binaries that exist on partitions mounted from removable media (such as a USB key). The "noexec" option prevents code from being executed directly from the media itself, and may therefore provide a line of defense against certain types of worms or malicious code. Add the "noexec" option to the fourth column of "/etc/fstab" for the line which controls mounting of any removable media partitions.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer