RHEL7 tmp mount detection

[hogarthj]

Description of problem:

Rule CCE-27173-4 states that /tmp should be on its own partition. The default, and recommended, EL7 configuration is /tmp on tmpfs but the oopenscap scan is reporting that tmp is not on its own partition.

SCAP Security Guide Version:

scap-security-guide-0.1.35-1.fc27.noarch

Operating System Version:

Fedora 27 host, RHEL7 target.

Steps to Reproduce:

1. Standard RHEL7 system to target
2. oscap-ssh root@ 22 xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --results /tmp/rhel7-stig-ssg-results.xml --report /tmp/rhel7-stig-ssg-results.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
3. xdg-open /tmp/rhel7-stig-ssg-results.html

Actual Results:

FAIL xccdf_org.ssgproject.content_rule_partition_for_tmp Identifiers: CCE-27173-4 References: RHEL-07-021340, SC-32(1), 366, SRG-OS-000480-GPOS-00227, 1.1.2

Expected Results:

PASS

Addition Information/Debugging Steps:

I'm not seeing anything that specifies /tmp can't be tmpfs and has to be physical for this template ... if there is it'd be useful to link to.

[ferricoxide]

Note:

When you implement /tmp on tmpfs, there's another remediation-rule that causes /var/tmp to become a bind-mount of /tmp. This has two side-effects when /tmp is tmpfs - one good and one bad:

• The contents of /var/tmp also become ephemeral ...which is really bad juju
• When the options-setter for /var/tmp runs, the options on /tmp get updated, too ...which at least allows the scap-scan to declare "/tmp has the right permissions

So, long story short, /tmp on tmpfs has a couple of knock-ons that likely need to be addressed in each of the relevant identifiers' remediation-areas. I'd cross-reference, but this post is a quick drop-in (since this issue was the first hit when I was doing a search for /tmp-related reports).

[marcusburghardt]

This should no longer be an issue in the current versions.