Secure temporary filesystems

To get a good security level, a sysadmin should prevent scripts execution from temporary filesystems. In Unix and Linux, these are: /tmp, /var/tmp and /dev/shm

Before to proceed, stop any services that may be writing to these folders:

Create temporary filesystem

Make a blank 1GB file:

dd if=/dev/zero of=/mnt/tmp bs=1024 count=1024000

Format a file with ext3 filesystem:

mke2fs -t ext3 /mnt/tmp

Secure /tmp

Remove current /tmp contents:

rm -rf /tmp
mkdir /tmp
chmod 1777

Mount the file up to the /tmp folder:

mount -o loop,noexec,nosuid,rw /mnt/tmp /tmp

Add an entry to /etc/fstab:

echo "/mnt/tmp /tmp ext3 loop,noexec,nosuid,rw     0 0" >> /etc/fstab

Secure /var/tmp

Remove current /var/tmp contents:

rm -rf /var/tmp

Symlink /var/tmp to /tmp:

ln -s /tmp /var/tmp

Secure /dev/shm

Open /etc/fstab and make sure that /dev/shm is mounted with following options:

none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0

Secure temporary filesystems

Create temporary filesystem

Secure /tmp

Secure /var/tmp

Secure /dev/shm

Leave a Reply

Search

Tags

Latest Twitter entries