Linux - System Preferences - Ensure /Tmp is Configured

What the Linux /tmp configuration Worklet does

This Automox Worklet™ verifies that /tmp on a Linux endpoint is mounted as its own filesystem and adds a tmpfs entry to /etc/fstab when one is missing. The evaluation script runs mount and greps for a /tmp entry surrounded by whitespace; an empty result means /tmp is sharing the root filesystem and the endpoint is flagged for remediation.

When remediation runs, the Worklet appends the line tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 to /etc/fstab and executes mount -a so the new entry is honored without a reboot. After mount -a returns, the script re-runs the mount check and exits non-zero with a message to stderr if /tmp still does not appear as its own filesystem, surfacing the failure in the Automox activity log.

Why separate /tmp on Linux endpoints

/tmp is world-writable, which makes it the first staging directory an attacker reaches for after gaining a local foothold. When /tmp lives on the root filesystem with no mount options applied, an unprivileged process can drop a binary there, set the SUID bit, create device nodes, and execute the payload. Mounting /tmp as a separate tmpfs with nosuid, nodev, and noexec removes all three of those attack primitives in one configuration change.

CIS Linux Benchmark control 1.1.2 requires /tmp on a separate partition or tmpfs, and the same requirement is reflected in NIST 800-53 SC-39 and PCI-DSS 2.2 hardening baselines. Running this Worklet across a fleet closes the audit gap in one policy pass and produces an /etc/fstab entry that survives reboots, kernel upgrades, and image rebuilds that pull in the same fstab.

How the /tmp mount check works

1. Evaluation phase: The script runs mount | grep -E '\s/tmp\s' to detect a live mount whose mount point is /tmp. An empty result writes "There is currently not a mount for /tmp. Remediation will be scheduled." to stderr and exits 1. A non-empty result writes "Your /tmp directory is already configured at this time. Worklet exiting..." to stdout and exits 0, and no remediation is queued.

2. Remediation phase: The script runs the same mount | grep check, and if /tmp is already its own mount it exits 0 immediately. Otherwise the configure_tmp_mount function appends tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 to /etc/fstab and runs mount -a. The script then re-runs the mount check; a non-empty result exits 0 with a success message, while an empty result writes a stderr message that points back to the Automox activity log and exits 1.

Requirements for the /tmp configuration policy

• Linux endpoint with a writable /etc/fstab and a working mount and mount -a toolchain (RHEL, CentOS, Rocky, Alma, Fedora, Debian, and Ubuntu are all in scope)

• Root or sudo privileges for the Automox agent; the default agent context already runs as root

• Enough physical RAM headroom for tmpfs allocation, since tmpfs defaults to half of system memory when no size is specified in the fstab entry

• No application that relies on executing scripts from inside /tmp; legacy Oracle and Java installers occasionally do, and they need a relocated working directory before noexec is applied

• The evaluation only verifies that /tmp is its own mount; review fstab and findmnt /tmp after the first remediation if you also need to confirm nosuid, nodev, and noexec are active on existing /tmp mounts that predate the policy

Expected /tmp state after remediation

After the Worklet runs, /etc/fstab contains the line tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 and the live mount table reports /tmp as a tmpfs filesystem. The mount survives reboots because the entry is in fstab, and subsequent evaluation runs exit 0 on the first mount check without touching the configuration.

Validate with three commands. Run findmnt /tmp to confirm the active mount carries nosuid, nodev, and noexec. Run grep '^tmpfs.*/tmp' /etc/fstab to confirm the persistent entry. Then run cp /bin/ls /tmp/ followed by /tmp/ls; the second command should fail with Permission denied, which confirms noexec is enforced. Capture those outputs alongside the Automox policy run identifier as audit evidence for CIS 1.1.2.