Bind Mount /var/tmp To /tmp
An XCCDF Rule
Description
The /var/tmp directory is a world-writable directory. Bind-mount
it to /tmp in order to consolidate temporary storage into one
location protected by the same techniques as /tmp. To do so, edit
/etc/fstab and add the following line:
/tmp /var/tmp none rw,nodev,noexec,nosuid,bind 0 0See the
mount(8) man page for further explanation of bind mounting.
Rationale
Having multiple locations for temporary storage is not required. Unless absolutely
necessary to meet requirements, the storage location /var/tmp should be bind mounted to
/tmp and thus share the same protections.
- ID
- xccdf_org.ssgproject.content_rule_mount_option_var_tmp_bind
- Severity
- Unknown
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && findmnt --kernel "/var/tmp" > /dev/null || findmnt --fstab "/var/tmp" > /dev/null ); then
# Delete particular /etc/fstab's row if /var/tmp is already configured to
# represent a mount point (for some device or filesystem other than /tmp)
if grep -q -P '.*\/var\/tmp.*' /etc/fstab