UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The mobile operating system must enforce a mandatory access control (MAC) policy that prohibits any application from having both write and execute permissions to a file on the device.


Overview

Finding ID Version Rule ID IA Controls Severity
V-32915 SRG-OS-000007-MOS-000002 SV-43313r1_rule Medium
Description
System integrity is dependent on properly controlling what software is executable. When programs are permitted to create or modify files and then subsequently execute those same files, this enables these programs to circumvent controls on the system designed to prevent malicious code execution. A rogue application that has the ability to both write and execute a file can perform a variety of unauthorized actions that could not have been anticipated when the application was authorized for installation. Such actions might include the ability to exfiltrate sensitive data on the device and to perform attacks on other systems. Preventing this behavior through the implementation of an appropriate MAC policy greatly mitigates the risk of this attack.
STIG Date
Mobile Operating System Security Requirements Guide 2013-07-03

Details

Check Text ( C-41224r1_chk )
Review OS documentation to determine if the OS supports MAC related to write and execute functions. Review the MAC policy to ascertain whether programs may have both write and execute permissions to files. If the OS does not support MAC, or if it is possible for an application to both write and execute a file, this is a finding.
Fix Text (F-36834r1_fix)
Configure the mobile operating system to enforce mandatory access controls (MAC) prohibiting any application from having both write and execute permissions to a file on the device.