iCompaas Support

Profile Applicability:
 • Level 2

Description:
 The /var/tmp directory is used for temporary files that are preserved between system reboots. Mounting /var/tmp on a separate partition isolates temporary files from other system directories, improving system stability and security.

Rationale:
 Having /var/tmp on a separate partition limits the impact of disk space exhaustion or filesystem corruption to temporary files only. It also enables specific mount options to enhance security and prevent denial-of-service conditions affecting other filesystems.

Impact:
 Pros:

• Isolates temporary files from critical system and user data.
  

• Prevents disk space exhaustion on root or other partitions.
  

• Facilitates application of secure mount options.
  

Cons:

• Requires additional partitioning and disk space allocation.
  

• Incorrect configuration may cause system or application issues.
  

Default Value:
 By default, /var/tmp is often part of the root or /var filesystem and not a separate partition.

Pre-requisites:

• Root or sudo privileges to modify disk partitions and /etc/fstab.
  

• Backup of important data before repartitioning.
  

Remediation:

Test Plan:

Using Linux command line:

1. Check current mount points for /var/tmp:
   

    mount | grep /var/tmp

2. Verify if /var/tmp is mounted separately:
   

    findmnt /var/tmp

3. Check /etc/fstab for /var/tmp entry:
   

    grep /var/tmp /etc/fstab

   Expected output: /var/tmp should be listed as a separate mount point.

Implementation Plan:

Using Linux command line:

1. Create a separate partition or logical volume for /var/tmp.
   

2. Format the partition:
   

    mkfs.ext4 /dev/<partition>

3. Backup existing /var/tmp data:
   

    cp -a /var/tmp /var/tmp_backup

4. Mount new partition temporarily:
   

    mount /dev/<partition> /mnt

5. Copy backup data back:
   

    cp -a /var/tmp_backup/* /mnt/

6. Add /var/tmp entry in /etc/fstab with secure mount options, for example:
   

   /dev/<partition>  /var/tmp  ext4  defaults,nodev,nosuid,noexec  0  0

7. Unmount temporary mount:
   

    umount /mnt

8. Mount /var/tmp:
   

    mount /var/tmp

   
   

9. Verify mount and permissions.
   
   

Backout Plan:

Using Linux command line:

1. Remove or comment out /var/tmp entry in /etc/fstab.
   

2. Unmount /var/tmp:
   

    umount /var/tmp

3. Restore backup if needed:
   

    cp -a /var/tmp_backup/* /var/tmp/

4. Reboot or remount root filesystem.
   

References:

• CIS Amazon Linux 2 Benchmark v3.0.0
  

• NIST SP 800-53 Revision 5 - SC-7
  
  

Tags:
, , , ,