STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The Oracle Linux operating system must mount /dev/shm with the noexec option.

DISA Rule

SV-209075r603263_rule

Vulnerability Number

V-209075

Group Title

SRG-OS-000368

Rule Version

OL6-00-000532

Severity

CAT III

CCI(s)

• CCI-001764 - The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.

Weight

10

Fix Recommendation

Configure the "/etc/fstab" to use the "noexec" option for all lines containing "/dev/shm".

Check Contents

Verify that the "noexec" option is configured for /dev/shm.

Check that the operating system is configured to use the "noexec" option for /dev/shm with the following command:

# cat /etc/fstab | grep /dev/shm | grep noexec

tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0

If the "noexec" option is not present on the line for "/dev/shm", this is a finding.

Verify "/dev/shm" is mounted with the "noexec" option:

# mount | grep "/dev/shm" | grep noexec

If no results are returned, this is a finding.

Vulnerability Number

V-209075

Documentable

False

Rule Version

OL6-00-000532

Severity Override Guidance

Verify that the "noexec" option is configured for /dev/shm.

Check that the operating system is configured to use the "noexec" option for /dev/shm with the following command:

# cat /etc/fstab | grep /dev/shm | grep noexec

tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0

If the "noexec" option is not present on the line for "/dev/shm", this is a finding.

Verify "/dev/shm" is mounted with the "noexec" option:

# mount | grep "/dev/shm" | grep noexec

If no results are returned, this is a finding.

Check Content Reference

M

Target Key

2928

Comments