By using AWS re:Post, you agree to the Terms of Use
Unanswered Questions in AWS Well-Architected Framework
Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Not using "noexec" with "/run" mount, on EC2 Ubuntu 22.04.1 LTS

I believe this *might* be a security issue, as [this happened in 2014](https://www.tenable.com/plugins/nessus/73180), but would rather not pay $29 for "Premium Support". It looks like the `initramfs` is not always mounting the `/run` partition as `noexec`. A stock `Ubuntu 22.04` install shows the `noexec` mount option is present ([source](https://askubuntu.com/a/1432445/924107)), so I suspect one of the AWS modifications has affected this? I can check four EC2 servers that are running `Ubuntu 22.04.1 LTS`, three of them upgraded from `Ubuntu 20.04.5`, the other started new a few weeks ago... oddly, two of the upgraded servers have kept the `noexec`. ``` # New server # Launched: Sep 02 2022 # AMI name: ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20220609 mount | grep '/run ' tmpfs on /run type tmpfs (rw,nosuid,nodev,size=803020k,nr_inodes=819200,mode=755,inode64) uname -a Linux HostB 5.15.0-1020-aws #24-Ubuntu SMP Thu Sep 1 16:04:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux ``` ``` # Upgraded server # Launched: Apr 25 2022 # AMI name: ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20211129 mount | grep '/run ' tmpfs on /run type tmpfs (rw,nosuid,nodev,size=94812k,nr_inodes=819200,mode=755,inode64) uname -a Linux HostA 5.15.0-1020-aws #24-Ubuntu SMP Thu Sep 1 16:04:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux ``` ``` # Upgraded server # Launched: Nov 16 2021 # AMI name: ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-20180522 mount | grep '/run ' tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=47408k,mode=755,inode64) uname -a Linux HostC 5.15.0-1020-aws #24-Ubuntu SMP Thu Sep 1 16:04:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux ``` ``` # Upgraded server # Launched: Feb 10 2017 # AMI name: ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-20170113 mount | grep '/run ' tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=202012k,mode=755,inode64) uname -a Linux HostD 5.15.0-48-generic #54-Ubuntu SMP Fri Aug 26 13:26:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux ```
0
answers
0
votes
6
views
asked 2 hours ago