Details

The noexec mount option specifies that the filesystem cannot contain executable binaries.

Rationale:

Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system.

Solution

Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.
Run the following command to remount /dev/shm:

# mount -o remount,noexec,nodev,nosuid /dev/shm

Additional Information:

/dev/shm is mounted automatically by systemd. /dev/shm needs to be added to /etc/fstab to add mount options even though it is already being mounted on boot.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3490

This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Configuration Management, Identification and Authentication, Media Protection.This control applies to the following type of system Unix.

References

• 800-53|AC-3
• 800-53|CM-1
• 800-53|CM-2
• 800-53|CM-6
• 800-53|CM-7
• 800-53|IA-5
• 800-53|MP-2
• CSCv7|2.6

Source

• Tenable.com/audits