Title: Ensure noexec option set on /var partition Description: The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /var filesystem is only intended for variable files such as logs, set this option to ensure that users cannot run executable binaries from /var . Audit: Verify that the noexec option is set for the /var mount. Run the following command to verify that the noexec mount option is set. Example: # findmnt --kernel /var | grep noexec /var /dev/sdb ext4 rw,nosuid,nodev,noexec,relatime,seclabel Remediation: Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var

[Yes/No]

Remediation: Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var partition. Example: <device> /var <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 Run the following command to remount /var with the configured options: # mount -o remount /var