{"description": "The <tt>noexec</tt> mount option can be used to prevent binaries from being\nexecuted out of <tt>/boot</tt>.\nAdd the <code>noexec</code> option to the fourth column of\n<tt>/etc/fstab</tt> for the line which controls mounting of\n<code>/boot</code>.", "rationale": "The <tt>/boot</tt> partition contains the kernel and the bootloader. No\nbinaries should be executed from this partition after the booting process\nfinishes.", "severity": "medium", "references": {"anssi": ["R28"]}, "control_references": {"anssi": ["R28"]}, "components": [], "identifiers": {}, "ocil_clause": "the \"/boot\" file system does not have the \"noexec\" option set", "ocil": "Verify the <tt>noexec</tt> option is configured for the <tt>/boot</tt> mount point,\n    run the following command:\n    <pre>$ sudo mount | grep '\\s/boot\\s'</pre>\n    <pre>. . . /boot . . . noexec . . .</pre>\n", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["not container"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["not_container"], "bash_conditional": null, "fixes": {}, "title": "Add noexec Option to /boot", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/partitions/mount_option_boot_noexec/rule.yml", "template": {"name": "mount_option", "vars": {"mountpoint": "/boot", "mountoption": "noexec"}, "backends": {}}}