{"description": "The <tt>noexec</tt> mount option can be used to prevent binaries\nfrom being executed out of <tt>/dev/shm</tt>.\nIt can be dangerous to allow the execution of binaries\nfrom world-writable temporary storage directories such as <tt>/dev/shm</tt>.\nAdd the <code>noexec</code> option to the fourth column of\n<tt>/etc/fstab</tt> for the line which controls mounting of\n<code>/dev/shm</code>.", "rationale": "Allowing users to execute binaries from world-writable directories\nsuch as <tt>/dev/shm</tt> can expose the system to potential compromise.", "severity": "medium", "references": {"cis-csc": ["11", "13", "14", "3", "8", "9"], "cobit5": ["APO13.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS05.02", "DSS05.05", "DSS05.06", "DSS06.06"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 7.6"], "iso27001-2013": ["A.11.2.9", "A.12.1.2", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.8.2.1", "A.8.2.2", "A.8.2.3", "A.8.3.1", "A.8.3.3", "A.9.1.2"], "nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.3", "CIP-007-3 R2.1", "CIP-007-3 R2.2", "CIP-007-3 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)", "AC-6", "AC-6(1)", "MP-7"], "nist-csf": ["PR.IP-1", "PR.PT-2", "PR.PT-3"], "srg": ["SRG-OS-000368-GPOS-00154"], "cis": ["1.1.2.2.4"], "ism": ["1409"]}, "control_references": {"cis": ["1.1.2.2.4"], "ism": ["1409"]}, "components": [], "identifiers": {}, "ocil_clause": "the \"/dev/shm\" file system does not have the \"noexec\" option set", "ocil": "Verify the <tt>noexec</tt> option is configured for the <tt>/dev/shm</tt> mount point,\n    run the following command:\n    <pre>$ sudo mount | grep '\\s/dev/shm\\s'</pre>\n    <pre>. . . /dev/shm . . . noexec . . .</pre>\n", "oval_external_content": null, "fixtext": "Modify \"/etc/fstab\" to use the \"noexec\" option on the \"/dev/shm\" directory.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must mount /dev/shm with the noexec option.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must mount /dev/shm with the noexec option.", "vuldiscussion": "The \"noexec\" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.", "checktext": "Verify \"/dev/shm\" is mounted with the \"noexec\" option with the following command:\n\n$ mount | grep /dev/shm\n\ntmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)\n\nIf the /dev/shm file system is mounted without the \"noexec\" option, this is a finding.", "fixtext": "Modify \"/etc/fstab\" to use the \"noexec\" option on the \"/dev/shm\" file system."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["not container"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["not_container"], "bash_conditional": null, "fixes": {}, "title": "Add noexec Option to /dev/shm", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml", "template": {"name": "mount_option", "vars": {"mountpoint": "/dev/shm", "mountoption": "noexec", "mount_has_to_exist": "false", "filesystem": "tmpfs", "type": "tmpfs"}, "backends": {"anaconda": "off", "blueprint": "off"}}}