Skip to content

1.1.2.1 Ensure /tmp is a separate partition

Audit#

Run the following command and verify the output shows that /tmp is mounted. Particular requirements pertaining to mount options are covered in ensuing sections. 

1
2
3
# findmnt --kernel /tmp
TARGET SOURCE FSTYPE OPTIONS
/tmp tmpfs tmpfs rw,nosuid,nodev,noexec,inode6
Ensure that systemd will mount the /tmp partition at boot time 
1
2
# systemctl is-enabled tmp.mount
enabled
Note that by default systemd will output generated if there is an entry in /etc/fstab for /tmp. This just means systemd will use the entry in /etc/fstab instead of it's default unit file configuration for /tmp.

Remediation#

First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. 

1
# systemctl unmask tmp.mount
For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab or tmp.mount. Example of /etc/fstab configured tmpfs file system with specific mount options: 
tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0
Example of tmp.mount configured tmpfs file system with specific mount options: 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
[Unit]
Description=Temporary Directory /tmp
ConditionPathIsSymbolicLink=!/tmp
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
After=swap.target

[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs