Ensure tmp.mount Unit Is Enabled

An XCCDF Rule

Description

The /tmp directory is a world-writable directory used for temporary file storage. This directory is managed by systemd-tmpfiles. Ensure that the tmp.mount systemd unit is enabled.

Rationale

The /tmp directory is used as temporary storage by many programs. Placing /tmp in a tmpfs filesystem enables the setting of more restrictive mount options, which can help protect programs which use it. The tmp.mount unit configures the tmpfs filesystem and ensures the /tmp directory is wiped during reboot.

ID: xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled
Severity: Low
References: R28
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - enable_strategy
  - low_complexity  - low_disruption
  - low_severity
  - no_reboot_needed
  - systemd_tmp_mount_enabled

- name: Enable mount tmp
  ansible.builtin.systemd:
    name: tmp.mount
    enabled: 'yes'
    state: started
    masked: 'false'
  when: ( not ( "kernel" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
    and "bootc" in ansible_facts.packages ) and not ( ansible_virtualization_type
    in ["docker", "lxc", "openvz", "podman", "container"] ) )
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - systemd_tmp_mount_enabled


services --enabled=tmp.mount

# Remediation is applicable only in certain platforms
if ( ! ( { rpm --quiet -q kernel ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ); then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'tmp.mount'
"$SYSTEMCTL_EXEC" start 'tmp.mount'"$SYSTEMCTL_EXEC" enable 'tmp.mount'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure tmp.mount Unit Is Enabled

Description

Rationale

Remediation - Ansible

Remediation - Anaconda Pre-Install Instructions

Remediation - Shell Script