Detections
Analytics

1.1.2.1.3 Ensure nosuid option set on /tmp partition

Information

The nosuid mount option specifies that the filesystem cannot contain setuid files.

Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp.

Solution

- IF - a separate partition exists for /tmp.

Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition.

Example:

<device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0

Run the following command to remount /tmp with the configured options:

# mount -o remount /tmp

See Also

https://workbench.cisecurity.org/benchmarks/19886

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CAT|II, CSCv7|14.6, Rule-ID|SV-230512r854053_rule, Vuln-ID|V-230512

Plugin: Unix

Control ID: b30d0e7e2ea683a17befc6388bee04c1c4ea81272d13418c643e907b973e082b