This is an old revision of the document!
2.1.1 Ensure chargen services are not enabled (Scored)
Profile Applicability
Level 1 - Workstation
Description
chargen
is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled.
Rationale
Disabling this service will reduce the remote attack surface of the system.
Audit
Run the following command and verify output shows /tmp
is mounted:
# mount | grep /tmp tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)
Remediation
For new installations, during installation create a custom partition setup and specify a separate partition for /tmp
.
For systems that were previously installed, create a new partition and configure /etc/fstab
as appropriate.
Impact
Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.
References
AJ Lewis, “LVM HOWTO”, http://tldp.org/HOWTO/LVM-HOWTO/
Notes
systemd includes the tmp.mount
service which should be used instead of configuring /etc/fstab
.