should /tmp be remounted as  tmpfs  or remain as  xfs  during hardening

sunhux
sunhux used Ask the Experts™
on
on my RHEL 7, /tmp  partition is shown as xfs :
$ mount |grep /tmp
/dev/mapper/rhel-tmp on /tmp type xfs (rw,nosuid,nodev,noexec,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/rhel-var_tmp on /var/tmp type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

So when doing CIS hardening, the benchmark doc suggests to remount as  tmpfs:
so should I remount as xfs  instead?

ie
>mount -o remount,nosuid,noexec,nodev tmpfs -t tmpfs
should above be
> mount -o remount,nosuid,noexec,nodev xfs -t xfs /tmp

and

in /etc/fstab
> /dev/mapper/rhel-tmp    /tmp                    tmpfs     defaults,nodev,nosuid,noexec        0 0
should above be
> /dev/mapper/rhel-tmp    /tmp                    xfs     defaults,nodev,nosuid,noexec        0 0

and

cat  /etc/systemd/system/local-fs.target.wants/tmp.mount
[Mount]
What=tmpfs  <== shd it be xfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,noexec,nodev,nosuid
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
One more query:

in fstab, should we remove the "defaults" or leave it there?
>defaults,nodev,nosuid,noexec
Fractional CTO
Distinguished Expert 2018
Commented:
1) If you leave /tmp on disk, then the filesystem required relates to your disk partitioning. If your entire partition where /tmp lives is XFS, then you'll use XFS.

Running /tmp as tmpfs may provide better performance, in some cases.

Running /tmp as tmpfs has has no security implications, as disk permissions + ACLs are all the same whether /tmp runs in tmpfs or off a disk filesystem.

2) The mount option of defaults is always on, whether you list it or not, as defaults is an alias for different options for different filesystems.

Whether you leave defaults in mount options explicitly or remove it makes no difference.

The defaults options are always enabled, unless you disable them explicitly... which can result in a bricked (non bootable) machine, so care must be taken when attempting to disable defaults level options.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial