Linux - System Preferences - Ensure /Tmp is Configured

What the /tmp isolation Worklet does

This Automox Worklet™ verifies that the /tmp directory on your Linux endpoints is mounted as a separate filesystem with dedicated mount options. If /tmp is not already isolated, the Worklet automatically adds an entry to /etc/fstab to mount /tmp as a tmpfs filesystem with security-hardened options.

The mount configuration applies restrictive options including nosuid (prevents SUID bit execution), nodev (blocks endpoint file creation), and noexec (prevents direct script execution from /tmp). These settings significantly reduce the attack surface for privilege escalation and malware deployment from temporary files.

The mount configuration applies restrictive options including nosuid (prevents SUID bit execution), nodev (blocks endpoint file creation), and noexec (prevents direct script execution from /tmp).

Why isolate /tmp on Linux endpoints

The /tmp directory is world-writable by design, making it a preferred location for attackers to store and execute malicious code. When /tmp shares the same filesystem as the root directory, an attacker can fill /tmp with large files to cause denial-of-service conditions affecting the entire system. Security frameworks like CIS Benchmarks, NIST 800-53, and PCI-DSS require /tmp isolation to mitigate these risks.

Isolating /tmp also prevents privilege escalation attacks that exploit SUID binaries or endpoint files staged in /tmp. By mounting /tmp with noexec, you prevent direct script execution from the temporary directory, forcing attackers to copy files to /var or other directories before execution. This additional step creates detection opportunities and increases attacker effort.

How /tmp isolation works

1. Evaluation phase: The Worklet checks the system mount table using the mount command to determine whether /tmp is currently mounted as a separate filesystem. If a dedicated mount for /tmp exists, the Worklet confirms compliance and exits without making changes.

2. Remediation phase: If /tmp is not mounted as a separate filesystem, the Worklet adds a new entry to /etc/fstab: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0. It then executes mount -a to load the new mount configuration and verifies that /tmp is now mounted as an independent filesystem.

/tmp isolation requirements

• Linux endpoints running on WORKSTATION or SERVER endpoint types

• Root or sudo access required to modify /etc/fstab and execute mount commands

• Automox agent version 1.42.22 or later

• Sufficient disk space available for tmpfs allocation (typically 512 MB to 1 GB depending on application workloads)

• No active processes or services using /tmp during remediation (the Worklet handles this automatically)

Expected security state after remediation

After the Worklet successfully completes, the /tmp directory is mounted as a separate tmpfs filesystem with security-hardened mount options. You can verify this by running mount | grep /tmp on the endpoint, which should display an entry showing /tmp mounted with nosuid,nodev,noexec options applied.

The Worklet entry persists in /etc/fstab, verifying /tmp remains isolated across system reboots. Applications continue to write temporary files to /tmp normally, but the restrictive mount options prevent exploitation vectors like SUID escalation or direct script execution from the temporary directory. Your Linux endpoints are now compliant with security standards requiring /tmp isolation.

How to validate verify /tmp is configured changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for verify /tmp is configured.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as function, mount, else, then rerun evaluation for compliance.