Configure Polyinstantiation of /tmp Directories
An XCCDF Rule
Description
To configure polyinstantiated /tmp directories, first create the parent directories which will hold the polyinstantiation child directories. Use the following command:$ sudo mkdir --mode 000 /tmp/tmp-instThen, add the following entry to
/etc/security/namespace.conf:
/tmp /tmp/tmp-inst/ level root,adm
Rationale
Polyinstantiation of temporary directories is a proactive security measure which reduces chances of attacks that are made possible by /tmp directories being world-writable.
- ID
- xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp
- Severity
- Low
- References
- Updated
Remediation Templates
An Ansible Snippet
- name: Create /tmp/tmp-inst directory
file:
path: /tmp/tmp-inst
state: directory
mode: '000'
seuser: system_uA Shell Script
# shellcheck disable=SC2174
mkdir -p --mode 000 /tmp/tmp-inst
chmod 000 /tmp/tmp-inst
chcon --reference=/tmp /tmp/tmp-inst
if ! grep -Eq '^\s*/tmp\s+/tmp/tmp-inst/\s+level\s+root,adm$' /etc/security/namespace.conf ; then