{"description": "The <tt>noexec</tt> mount option can be used to prevent binaries\nfrom being executed out of <tt>/var/log</tt>.\nAdd the <code>noexec</code> option to the fourth column of\n<tt>/etc/fstab</tt> for the line which controls mounting of\n<code>/var/log</code>.", "rationale": "Allowing users to execute binaries from directories containing log files\nsuch as <tt>/var/log</tt> should never be necessary in normal operation and\ncan expose the system to potential compromise.", "severity": "medium", "references": {"nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.3", "CIP-007-3 R2.1", "CIP-007-3 R2.2", "CIP-007-3 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)", "AC-6", "AC-6(1)", "MP-7"], "nist-csf": ["PR.IP-1", "PR.PT-2", "PR.PT-3"], "srg": ["SRG-OS-000368-GPOS-00154"], "anssi": ["R28"], "cis": ["1.1.2.6.4"]}, "control_references": {"anssi": ["R28"], "cis": ["1.1.2.6.4"]}, "components": [], "identifiers": {}, "ocil_clause": "the \"/var/log\" file system does not have the \"noexec\" option set", "ocil": "Verify the <tt>noexec</tt> option is configured for the <tt>/var/log</tt> mount point,\n    run the following command:\n    <pre>$ sudo mount | grep '\\s/var/log\\s'</pre>\n    <pre>. . . /var/log . . . noexec . . .</pre>\n", "oval_external_content": null, "fixtext": "Modify \"/etc/fstab\" to use the \"noexec\" option on the \"/var/log\" directory.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must mount /var/log with the noexec option.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must mount /var/log with the noexec option.", "vuldiscussion": "The \"noexec\" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.", "checktext": "Verify \"/var/log\" is mounted with the \"noexec\" option:\n\n$ mount | grep /var/log\n\n/dev/mapper/rhel-var-log on /var/log type xfs (rw,nodev,nosuid,noexec,seclabel)\n\nIf the \"/var/log\" file system is mounted without the \"noexec\" option, this is a finding.", "fixtext": "Modify \"/etc/fstab\" to use the \"noexec\" option on the \"/var/log\" directory."}}, "platform": "mount[var-log]", "platforms": ["mount[var-log]"], "sce_metadata": {}, "inherited_platforms": ["not container"], "cpe_platform_names": ["mount_var-log"], "inherited_cpe_platform_names": ["not_container"], "bash_conditional": null, "fixes": {}, "title": "Add noexec Option to /var/log", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml", "template": {"name": "mount_option", "vars": {"mountpoint": "/var/log", "mountoption": "noexec"}, "backends": {}}}