hardening /tmp
Odhiambo Washington
odhiambo at gmail.com
Wed Feb 8 15:59:17 UTC 2017
On 8 February 2017 at 18:43, Trond Endrestøl <Trond.Endrestol at fagskolen.
gjovik.no> wrote:
> On Wed, 8 Feb 2017 10:22-0500, James B. Byrne via freebsd-questions wrote:
>
> > How do most people handle hardening /tmp and /var/tmp on FreeBSD? I
> > can get rid of /tmp from the file system and then simply mount it as a
> > tmpfs in /etc/fstab.
> >
> > tmpfs /tmp tmpfs rw,nosuid,noexec,mode=01777 0 0
> >
> > However, /var/tmp is supposed to survive across reboots so how is this
> > handled?
>
> If ZFS is an option, then create a separate dataset/filesystem for
> /var/tmp, and set its quota to something sensible.
>
> If UFS is your (only) option, then create a separate partition of
> reasonable size and mount that as your /var/tmp.
>
> You can also consider a filebacked mfs of a certain size for your
> /var/tmp.
>
> --
> +-------------------------------+------------------------------------+
> | Vennlig hilsen, | Best regards, |
> | Trond Endrestøl, | Trond Endrestøl, |
> | IT-ansvarlig, | System administrator, |
> | Fagskolen Innlandet, | Gjøvik Technical College, Norway, |
> | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, |
> | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. |
>
What are we mitigating? A situation where some bad guy fills /tmp and
collapses the system/ Or a situation where a bad guy manages to access our
/tmp and uses it to launch his scripts?
I remember this hardening subject from years back, so I googled "freebsd
security hardeng" and found so much being discussed, including even a port
that was specifically made to achieve the same, as you can read from
https://linux-audit.com/freebsd-hardening-lynis/
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
More information about the freebsd-questions
mailing list