# Differences

This shows you the differences between two versions of the page.

 ubuntu1604:1:1:4 [2017/05/02 00:15]Piotr Kłoczewski utworzono ubuntu1604:1:1:4 [2017/05/02 12:12] Line 1: Line 1: - ====== 1.1.4 Ensure nosuid option set on /tmp partition (Scored) ====== - **Profile Applicability:​** \\ - ​ - <​note>​Level 1 - Server \\ - Level 1 - Workstation​ - - **Description:​** \\ - The ''​nosuid''​ mount option specifies that the filesystem cannot contain ''​setuid''​ files. \\ \\ - **Rationale:​** \\ - Since the ''/​tmp''​ filesystem is only intended for temporary file storage, set this option to ensure that users cannot create ''​setuid''​ files in ''/​tmp''​. \\ \\ - **Audit:** \\ - If a ''/​tmp''​ partition exists run the following command and verify that the ''​nosuid''​ option is set on ''/​tmp'':​ \\ - <​Code:​bash>​ - # mount | grep /tmp - tmpfs on /tmp type tmpfs (rw,​nosuid,​nodev,​noexec,​relatime) - ​ - \\ - **Remediation:​** \\ - Edit the ''/​etc/​fstab''​ file and add ''​nosuid''​ to the fourth field (mounting options) for the ''/​tmp''​ partition. See the ''​fstab(5)''​ manual page for more information. \\ - Run the following command to remount ''/​tmp'': ​ - <​Code:​bash>​ - # mount -o remount,​nosuid /tmp - ​ - \\ \\ - **Notes:** \\ - systemd includes the ''​tmp.mount''​ service which should be used instead of configuring ''/​etc/​fstab''​. Mounting options are configured in the ''​Options''​ setting in ''/​etc/​systemd/​system/​tmp.mount''​.