Profile Applicability:
 • Level 1

Description:
 The /tmp directory is used for temporary files by system and user applications. Mounting /tmp on a separate partition isolates temporary files from the root filesystem, improving security and stability.

Rationale:
 Having /tmp on a separate partition limits the impact of denial-of-service attacks, prevents temporary file exhaustion affecting other filesystems, and allows for specific mount options (e.g., noexecnosuid) to be applied, reducing security risks.

Impact:
 Pros:

  • Limits damage caused by rogue or malformed temporary files.

  • Allows enforcing stricter mount options for better security.

  • Prevents /tmp from filling the root filesystem.

Cons:

  • Requires partitioning and potentially additional disk space allocation.

  • Misconfiguration may cause system startup issues.

Default Value:
 By default, /tmp is often part of the root filesystem and not a separate partition.

Pre-requisites:

  • Root or sudo privileges to modify disk partitions and /etc/fstab.

  • Backup of critical data before repartitioning

Remediation:

Test Plan:

Using Linux command line:

  1. Check current mount points:

    mount | grep /tmp

  2. Verify /tmp is mounted on a separate partition:

     findmnt /tmp

  3. Check /etc/fstab for /tmp entry:

     grep /tmp /etc/fstab
    Expected output: /tmp should be listed as a separate mount point with appropriate options.


Implementation Plan:

Using Linux command line:

  1. Create a separate partition or logical volume for /tmp (using tools like fdisklvcreate).

  2. Format the new partition:

     mkfs.ext4 /dev/<partition>

  3. Backup current /tmp contents:

     cp -a /tmp /tmp_backup

  4. Mount the new partition temporarily:

     mount /dev/<partition> /mnt

  5. Copy back the contents:

     cp -a /tmp_backup/* /mnt/

  1. Unmount temporary mount:

     umount /mnt

  2. Mount /tmp:

     mount /tmp


  3. Verify mount and permissions.

Backout Plan:

Using Linux command line:

  1. Remove or comment out the /tmp entry in /etc/fstab.

  2. Unmount /tmp:

     umount /tmp


  3. Restore original /tmp contents if needed:

     cp -a /tmp_backup/* /tmp/

  4. Reboot system or remount root filesystem.

References: