Ensure tmp.mount Unit Us Enabled

An XCCDF Rule

Description

The /tmp directory is a world-writable directory used for temporary file storage. This directory is managed by systemd-tmpfiles. Ensure that the tmp.mount systemd unit is enabled.

Rationale

The /tmp directory is used as temporary storage by many programs. Placing /tmp in a tmpfs filesystem enables the setting of more restrictive mount options, which can help protect programs which use it. The tmp.mount unit configures the tmpfs filesystem and ensures the /tmp directory is wiped during reboot.

ID: xccdf_org.ssgproject.content_rule_systemd_tmp_mount_enabled
Severity: Low
References: R28
Updated: 5 days ago

- name: Enable mount tmp
  ansible.builtin.systemd:
    name: tmp.mount
    enabled: 'yes'
    state: started
    masked: 'false'  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - enable_strategy
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - systemd_tmp_mount_enabled


services --enabled=tmp.mount

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'tmp.mount'
"$SYSTEMCTL_EXEC" start 'tmp.mount'"$SYSTEMCTL_EXEC" enable 'tmp.mount'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure tmp.mount Unit Us Enabled

Description

Rationale

Remediation - Ansible

Remediation - Anaconda Pre-Install Instructions

Remediation - Shell Script