The mobile operating system must enforce a mandatory access control (MAC) policy that prohibits any application from having both write and execute permissions to a file on the device.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-32915 | SRG-OS-000007-MOS-000002 | SV-43313r1_rule | Medium |
| Description |
|---|
| System integrity is dependent on properly controlling what software is executable. When programs are permitted to create or modify files and then subsequently execute those same files, this enables these programs to circumvent controls on the system designed to prevent malicious code execution. A rogue application that has the ability to both write and execute a file can perform a variety of unauthorized actions that could not have been anticipated when the application was authorized for installation. Such actions might include the ability to exfiltrate sensitive data on the device and to perform attacks on other systems. Preventing this behavior through the implementation of an appropriate MAC policy greatly mitigates the risk of this attack. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41224r1_chk ) |
|---|
| Review OS documentation to determine if the OS supports MAC related to write and execute functions. Review the MAC policy to ascertain whether programs may have both write and execute permissions to files. If the OS does not support MAC, or if it is possible for an application to both write and execute a file, this is a finding. |
| Fix Text (F-36834r1_fix) |
|---|
| Configure the mobile operating system to enforce mandatory access controls (MAC) prohibiting any application from having both write and execute permissions to a file on the device. |