Securing /tmp and /var/tmp on OpenVZ Container


When doing server hardening procedure there are many important methods which have to be done on a server to reduce the attack footprint. One of the easiest method is securing temporary directory on your server.

Normally the Linux system store its temporary files such as cached pictures or database result in the tmp directory (/tmp) but malicious scripts may use this storage to carry some compromising code, with the purpose to execute it on the system and maybe install some sort of root kit.

The easy fix for this is by creating standalone partition with low level access permissions to block malicious code being executed from main file system and mount it to /tmp directory. However on the OpenVZ based virtual servers, as a result of the hypervisor technology this makes the method a little bit more sophisticated.

Simply do this:

# mount -t tmpfs -o noexec,nosuid tmpfs /tmp/
# cat /proc/mounts
simfs / simfs rw 0 0
proc /proc proc rw 0 0
sysfs /sys sysfs rw 0 0
devpts /dev/pts devpts rw 0 0
tmpfs /dev/shm tmpfs rw 0 0
tmpfs /tmp tmpfs rw,nosuid,noexec 0 0

and dont forget to insert to /etc/fstab :

tmpfs /tmp tmpfs noexec,nosuid 0 0
tmpfs /var/tmp tmpfs noexec,nosuid 0 0

Comments are closed.

Main Navigation