 ====== 1.1.4 Ensure nosuid option set on /tmp partition (Scored) ======
**Profile Applicability:​** \\ 
​
<​note>​Level 1 - Server \\ 
Level 1 - Workstation​

**Description:​** \\ 
The ''​nosuid''​ mount option specifies that the filesystem cannot contain ''​setuid''​ files. \\ \\ 
**Rationale:​** \\ 
Since the ''/​tmp''​ filesystem is only intended for temporary file storage, set this option to ensure that users cannot create ''​setuid''​ files in ''/​tmp''​. \\ \\ 
**Audit:** \\ 
If a ''/​tmp''​ partition exists run the following command and verify that the ''​nosuid''​ option is set on ''/​tmp'':​ \\ 
<​Code:​bash>​ 
# mount | grep /tmp 
tmpfs on /tmp type tmpfs (rw,​nosuid,​nodev,​noexec,​relatime) 
​ 
\\ 
**Remediation:​** \\ 
Edit the ''/​etc/​fstab''​ file and add ''​nosuid''​ to the fourth field (mounting options) for the ''/​tmp''​ partition. See the ''​fstab(5)''​ manual page for more information. \\ 
Run the following command to remount ''/​tmp'': ​ 
<​Code:​bash>​ 
# mount -o remount,​nosuid /tmp 
​ 
\\ \\ 
**Notes:** \\ 
systemd includes the ''​tmp.mount''​ service which should be used instead of configuring ''/​etc/​fstab''​. Mounting options are configured in the ''​Options''​ setting in ''/​etc/​systemd/​system/​tmp.mount''​.