Configure Polyinstantiation of /var/tmp Directories

An XCCDF Rule

Description

To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use the following command:

$ sudo mkdir --mode 000 /var/tmp/tmp-inst

Then, add the following entry to /etc/security/namespace.conf:

/var/tmp /var/tmp/tmp-inst/    level      root,adm

Rationale

Polyinstantiation of temporary directories is a proactive security measure which reduces chances of attacks that are made possible by /var/tmp directories being world-writable.

ID: xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp
Severity: Low
References: BP28(R39)

CCE-91507-4
Updated: about 1 year ago


# shellcheck disable=SC2174
mkdir -p --mode 000 /var/tmp/tmp-inst
chmod 000 /var/tmp/tmp-inst
chcon --reference=/var/tmp /var/tmp/tmp-inst
if ! grep -Eq '^\s*/var/tmp\s+/var/tmp/tmp-inst/\s+level\s+root,adm$' /etc/security/namespace.conf ; then
    if grep -Eq '^\s*/var/tmp\s+' /etc/security/namespace.conf ; then
        sed -i '/^\s*\/var\/tmp/d' /etc/security/namespace.conf
    fi
    echo "/var/tmp /var/tmp/tmp-inst/    level      root,adm" >> /etc/security/namespace.conf
fi

- name: Create /var/tmp/tmp-inst directory
  file:
    path: /var/tmp/tmp-inst
    state: directory
    mode: '000'
    seuser: system_u    serole: object_r
    setype: tmp_t
  tags:
  - CCE-91507-4
  - accounts_polyinstantiated_var_tmp
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy

- name: Make changes to /etc/security/namespace.conf
  lineinfile:
    path: /etc/security/namespace.conf
    create: false
    regexp: ^\s*/var/tmp\s+/var/tmp/tmp-inst/\s+level\s+root,adm$
    line: /var/tmp /var/tmp/tmp-inst/    level      root,adm
    state: present
  tags:
  - CCE-91507-4
  - accounts_polyinstantiated_var_tmp
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy

Configure Polyinstantiation of /var/tmp Directories

Description

Rationale

Remediation - Shell Script

Remediation - Ansible