1.1.2 Ensure /tmp is configured

Information

The /tmp directory is a world-writable directory used for temporary storage by all users and some applications.

Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.

This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp.

Solution

Run the following commands to configure mount options

systemctl edit tmp.mount

Edit the file to define the options that needs to be set. For example:

[Mount]
Options=
Options=mode=1777,strictatime,noexec,nodev,nosuid

Restart the tmp.mount

systemctl daemon-reload # might be optional
systemctl restart tmp.mount

/etc is stateless on Container-Optimized OS. Therefore, /etc cannot be used to make these changes persistent across reboots. The steps mentioned above needs to be performed after every boot.

Impact:

Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition.

Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a default installation a disk-based /tmp will essentially have the whole disk available, as it only creates a single / partition. On the other hand, a RAM-based /tmp as with tmpfs will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily.

/tmp utilizing tmpfs can be resized using the size={size} parameter on the Options line on the tmp.mount file

See Also

https://workbench.cisecurity.org/benchmarks/12218