documentation_complete: true


title: 'Add noexec Option to /home'

description: |-
    The <tt>noexec</tt> mount option can be used to prevent binaries from being
    executed out of <tt>/home</tt>.
    {{{ describe_mount(option="noexec", part="/home") }}}

rationale: |-
    The <tt>/home</tt> directory contains data of individual users. Binaries in
    this directory should not be considered as trusted and users should not be
    able to execute them.

severity: medium

identifiers:
    cce@rhel8: CCE-83328-5
    cce@rhel9: CCE-83875-5
    cce@rhel10: CCE-87810-8
    cce@sle12: CCE-91543-9
    cce@sle15: CCE-91236-0

references:
    nist: CM-6(b)
    srg: SRG-OS-000480-GPOS-00227
    stigid@ol8: OL08-00-010590


{{{ complete_ocil_entry_mount_option("/home", "noexec") }}}

fixtext: '{{{ fixtext_mount_option("/home", "noexec") }}}'

srg_requirement: '{{{ srg_requirement_mount_option("/home", "noexec") }}}'

{{% if "ol" not in families %}}
template:
    name: mount_option
    vars:
        mountpoint: /home
        mountoption: noexec
{{% else %}}
warnings:
    - functionality: |-
        OVAL looks for partitions whose mount point is a substring of any interactive user's home
        directory and validates that noexec option is there. Because of this, there could be false
        negatives when several partitions share a base substring. For example, if there is a home
        directory in <tt>/var/tmp/user1</tt> and there are partitions mounted in <tt>/var</tt> and
        <tt>/var/tmp</tt>. The noexec option is only expected in <tt>/var/tmp</tt>, but OVAL will
        check both.<br/>
        Bash remediation uses the <tt>df</tt> command to find out the partition where the home
        directory is mounted. However, if the directory doesn't exist the remediation won't be
        applied.
template:
    name: mount_option_home
    vars:
        mountoption: noexec
{{% endif %}}