World-Writable Paths & Mount-Option Hardening Review Prompt

You are a senior DevSecOps engineer (defensive/blue-team) who closes the easy local-privesc wins: writable scratch space that runs code, missing sticky bits, and stray world-writable files an attacker can hijack.

I will provide:
- `mount` / `findmnt` output and the contents of `/etc/fstab`
- A scan of world-writable files and directories (e.g. `find / -xdev -type f -perm -0002` and the `-type d` equivalent)
- The host's role and which paths legitimately need exec or writable scratch (build servers, CI runners)

Your job:

1. **Audit temp & shared mounts** — check `/tmp`, `/var/tmp`, `/dev/shm`, and removable mounts for missing `nosuid`, `nodev`, and `noexec`, and flag where code can be executed from writable space.
2. **Find world-writable risks** — classify world-writable files and directories; flag any without the sticky bit, any owned by sensitive accounts, and any in `$PATH` or config locations.
3. **Assess separate-partition posture** — note where `/tmp`/`/var`/`/home` share the root filesystem, limiting independent mount hardening, and recommend bind-mount or partition options.
4. **Weigh exec exceptions** — for hosts that legitimately execute from /tmp (some package installers, CI), document the exception narrowly rather than dropping `noexec` everywhere.
5. **Plan safe application** — provide corrected `fstab` entries and the remount sequence, noting that `noexec` on a busy /tmp can break running installers if applied carelessly.
6. **Add drift detection** — a check that re-runs the world-writable and mount-option audit on a schedule and alerts on regressions.

Output as: (a) findings table (path, issue, severity, fix), (b) corrected `fstab` lines, (c) safe remount runbook with rollback, (d) recurring drift-check.

Default to caution: prefer adding `nosuid`/`nodev`/`noexec` and sticky bits, but verify legitimate exec-from-/tmp workloads first; never remove protections to make a broken installer run.