InformationThe /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications and is intended for temporary files that are preserved across reboots.
Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.
Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.
SolutionFor new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp .
For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.
tmpfs should not be used for /var/tmp/
tmpfs is a temporary filesystem that resides in memory and/or swap partition(s)
Files in tmpfs are automatically cleared at each bootup
Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, MEDIA PROTECTION, SYSTEM AND SERVICES ACQUISITION
References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|MP-2, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1
Control ID: 855f2e07636bb84575c556c4c73bd615e2880234673e6432ec114c1dee0fe9a6