Avatar of sunhux
sunhux
 asked on

should /tmp be remounted as tmpfs or remain as xfs during hardening

on my RHEL 7, /tmp  partition is shown as xfs :
$ mount |grep /tmp
/dev/mapper/rhel-tmp on /tmp type xfs (rw,nosuid,nodev,noexec,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/rhel-var_tmp on /var/tmp type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

So when doing CIS hardening, the benchmark doc suggests to remount as  tmpfs:
so should I remount as xfs  instead?

ie
>mount -o remount,nosuid,noexec,nodev tmpfs -t tmpfs
should above be
> mount -o remount,nosuid,noexec,nodev xfs -t xfs /tmp

and

in /etc/fstab
> /dev/mapper/rhel-tmp    /tmp                    tmpfs     defaults,nodev,nosuid,noexec        0 0
should above be
> /dev/mapper/rhel-tmp    /tmp                    xfs     defaults,nodev,nosuid,noexec        0 0

and

cat  /etc/systemd/system/local-fs.target.wants/tmp.mount
[Mount]
What=tmpfs  <== shd it be xfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,noexec,nodev,nosuid
LinuxLinux Security

Avatar of undefined
Last Comment
David Favor

8/22/2022 - Mon
sunhux

ASKER
One more query:

in fstab, should we remove the "defaults" or leave it there?
>defaults,nodev,nosuid,noexec
ASKER CERTIFIED SOLUTION
David Favor

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy