We are facing issues when trying to install ILMT agent on Linux servers (RHEL 7.9). ILMT agent installer (RPM) creating binaries under /var directory by-default, due to "noexce" hardening flag on /var file system (noexec - this specifies that there are no executable binaries – which manes users cannot run executable binaries from this folder) the installation/confuguration is failing. we had to remove the noexec flag from /var partition to complete the installation on a test systsem. Since this is the security exception, we need to check if there's any workaround/options that are available to installa ILMT agent on Linux without removing the noexec flag from /var?

Kindly check and advise.

Hello Team,

Just to clarify the requirement, We are able to install the bigfix agent on Linux server, the bigfix installer creating it's configurations/binaries under the "/var/opt/BESClient/" path and the client Linux server starts reporting to the Bigfix console.

But the Bigfix master server unable to perform the ILMT scanner deployment due to the "NOEXEC" hardening policy/flag on the /var partition. The ILMT scanner program/script "installcit.sh" is stored under the "/var/opt/BESClient/LMT/CIT/citinstall" path. We tried manual local execution of the "installcit.sh" on the server but it failed due to the permission issue due to noexec.

For a testing purpose, we removed the "noexec" flag from /var partition, post that, the deployment was successful and we were able to scan and fetch the report.

Since "NOEXEC" flag is a hardening policy, we cannot remove this flag, we would like to know, if there's any workaround/solution for this, so that we don't need to bypass the security policy?

Hi, see the Error when /var is mounted as noexec section in the following documentation on how to move /var/opt/BESClient to a different partition.

https://help.hcltechsw.com/bigfix/9.5/patch/Patch/Patch_CentOS/r_troubleshooting_centos.html

Regards,