{"description": "The <tt>noexec</tt> mount option can be used to prevent binaries from being\nexecuted out of <tt>/home</tt>.\nAdd the <code>noexec</code> option to the fourth column of\n<tt>/etc/fstab</tt> for the line which controls mounting of\n<code>/home</code>.", "rationale": "The <tt>/home</tt> directory contains data of individual users. Binaries in\nthis directory should not be considered as trusted and users should not be\nable to execute them.", "severity": "medium", "references": {"nist": ["CM-6(b)"], "srg": ["SRG-OS-000480-GPOS-00227"], "anssi": ["R28"]}, "control_references": {"anssi": ["R28"]}, "components": [], "identifiers": {}, "ocil_clause": "the \"/home\" file system does not have the \"noexec\" option set", "ocil": "Verify the <tt>noexec</tt> option is configured for the <tt>/home</tt> mount point,\n    run the following command:\n    <pre>$ sudo mount | grep '\\s/home\\s'</pre>\n    <pre>. . . /home . . . noexec . . .</pre>\n", "oval_external_content": null, "fixtext": "Modify \"/etc/fstab\" to use the \"noexec\" option on the \"/home\" directory.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must mount /home with the noexec option.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must prevent code from being executed on file systems that contain user home directories.", "vuldiscussion": "The \"noexec\" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.", "checktext": "Verify \"/home\" is mounted with the \"noexec\" option with the following command:\n\nNote: If a separate file system has not been created for the user home directories (user home directories are mounted under \"/\"), this is automatically a finding, as the \"noexec\" option cannot be used on the \"/\" system.\n\n$ mount | grep /home\n\ntmpfs on /home type xfs (rw,nodev,nosuid,noexec,seclabel)\n\nIf the \"/home\" file system is mounted without the \"noexec\" option, this is a finding.", "fixtext": "Modify \"/etc/fstab\" to use the \"noexec\" option on the \"/home\" directory."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["not container"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["not_container"], "bash_conditional": null, "fixes": {}, "title": "Add noexec Option to /home", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/partitions/mount_option_home_noexec/rule.yml", "template": {"name": "mount_option", "vars": {"mountpoint": "/home", "mountoption": "noexec"}, "backends": {}}}