This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to Fix Ensure /tmp is configured” Without Being Flagged for Compliance ID - 6112

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to Fix Ensure /tmp is configured” Without Being Flagged for Compliance ID - 6112

JOmoniyi
L2 Linker

on ‎12-10-2024 05:15 PM

No ratings

By Omoniyi Jabaru, Senior Customer Success Engineer

 

Overview

 

The /tmp directory is a critical system directory used for temporary storage by various users and applications. As a world-writable directory, it provides a shared space for files that are created and used by different processes during their execution. However, because of its open-write nature, the /tmp directory can pose security risks, if not properly configured.

 

Purpose

 

To mitigate these risks and enhance system security, it is necessary to ensure that the /tmp directory is mounted with appropriate settings. Mounting /tmp can enforce additional protections, such as preventing users from writing executable files, enforcing access control policies, and reducing the likelihood of malicious users exploiting the directory. This is especially important for systems that require high security or handle sensitive data.

By confirming that /tmp is mounted and properly configured, as shown in the /proc/mounts file, administrators can ensure that the directory is operating with the desired security settings, preventing potential vulnerabilities related to temporary file storage.

 

Before You Begin

 

To accomplish this, you will need to:

 

  • Have a running instance of Prisma Cloud CWP Console.
  • A running instance of AWS EC2.
    •  Have a Defender running on the AWS EC2


Launch an AWS EC2 instance

 

  1. Open and login to the Amazon EC2 console athttps://console.aws.amazon.com/ec2/.
  2. In the navigation bar at the top of the screen, we display the current AWS Region — for example, Ohio. You can use the selected Region, or optionally select a Region that is closer to you.
  3. From the EC2 console dashboard, in the Launch instance pane, choose Launch instance.
  4. Under Name and tags, for Name, enter a descriptive name for your instance.
  5. Under Application and OS Images (Amazon Machine Image), do the following:
    1. Choose Quick Start, and then choose the operating system (OS) for your instance. For your first Linux instance, we recommend that you choose Amazon Linux.
    2. From Amazon Machine Image (AMI), select an AMI that is marked Free Tier eligible.
  6. Under Instance type, for Instance type, choose t2.micro, which is eligible for the Free Tier. In Regions where t2.micro is not available, t3.micro is eligible for the Free Tier.
  7. Under Key pair (login), for Key pair name, choose an existing key pair or choose Create new key pair to create your first key pair.
  8. Configure Network settings, 
  9. Configure storage, notice that we configured a root volume but no data volumes. This is sufficient for test purposes.
  10. Review a summary of your instance configuration in the Summary panel, and when you're ready, choose Launch instance.
  11. Launch the instance.

 

Install a Container Defender On the Scanner EC2

 

  1. Go to Compute > Manage > Defenders > Defenders: Deployed and select Manual deploy.
  2. Under the Deployment method, select Single Defender.
  3. In Defender type, select Host Defender - Linux or Host Defender - Windows.
  4. Select the way the Defender connects to Console.
  5. (Optional) Set a custom communication port (4) for the Defender to use.
  6. (Optional) Set a proxy (3) for the Defender to use for the communication with the Console.
  7. (Optional) Under Advanced Settings, Enable Assign globally unique names to Hosts when you have multiple hosts that can have the same hostname (like autoscale groups, and overlapping IP addresses).
    After setting the option to ON, Prisma Cloud appends a unique identifier, such as ResourceId, to the host’s DNS name. For example, an AWS EC2 host would have the following name: Ip-171-29-1-244.ec2internal-i-04a1dcee6bd148e2d.
  8. Copy the install scripts command from the right side panel, which is generated according to the options you selected. On the host where you want to install the Defender, paste the command into a shell window, and run it.

Verify the Install

 

  • In the Console, go to Manage > Defenders > Defenders: Deployed.
  • Your new Defender should be listed in the table, and the status box should be green and checked.

 

For more info, review the Prisma Defender documentation below:

Install a Single Host Defender
                    

How Prisma Cloud Performs The Check

 

Prisma Cloud performs two checks to evaluate the configuration of the /tmp directory:

 

Active Mount Verification:
Prisma Cloud checks if /tmp is actively mounted by inspecting the system’s current mount points. This is done by querying the output of the mount command or by reading the /proc/mounts file. For example, it verifies that /tmp is mounted as a tmpfs (temporary file system) with the appropriate security options, such as nosuid, nodev, and seclabel, and that it has an adequate size and inode allocation.

 

 A sample output might look like this:

[ec2-jabar@jabar~]$ mount | grep /tmp
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,seclabel,size=486136k,nr_inodes=1048576)

[ec2-jabar@jabar~]$ cat /proc/mounts | grep /tmp
tmpfs /tmp tmpfs rw,seclabel,nosuid,nodev,size=486136k,nr_inodes=1048576 0 0

/etc/fstab Configuration Check


Prisma Cloud also verifies that /tmp is correctly defined in the system’s /etc/fstab file, which dictates the persistent mount configuration for system directories. This check ensures that the system will consistently mount /tmp with the correct options upon reboot.

 

Prisma Cloud ensures that the /tmp directory is configured and mounted with the appropriate settings to prevent potential security risks by performing these checks.

 

Reproduction Image:

 

unnamed (2).png

Figure 1 : Compliance ID 6112_PaloAltoNetworks

 

As shown in the screenshot, this discrepancy results in a "FAIL" in the evaluation, indicating that while the directory is mounted currently, it lacks a persistent configuration in /etc/fstab to ensure it remains mounted across system reboots.
Confirm /tmp is mounted with the command below:

[ec2-user@ip-172-31-27-111 ~]$ mount | grep /tmp
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,seclabel,size=486136k,nr_inodes=1048576)

The /tmp directory is indeed mounted as a tmpfs filesystem with the expected security options (rw, nosuid, nodev, seclabel) and the specified size and inode limits. However, the mount configuration for /tmp is not present in the /etc/fstab file, which means it is not set up for automatic mounting on system startup:

    
Resolution


Added Mount Definition to /etc/fstab:
The first step is to define the /tmp mount in the /etc/fstab file to ensure it gets mounted automatically during system startup. The following entry was added to /etc/fstab:

[ec2-user@ip-172-31-27-111 ~]$ sudo more /etc/fstab
UUID=7b395683-8f97-49be-bc51-d7b52020feb2   /      xfs  defaults,noatime 1  1
UUID=53F8-484B    /boot/efi    vfat defaults,noatime,uid=0,gid=0,umask=0077,shortname=winnt,x-systemd.automount 0 2
tmpfs  /tmp  tmpfs  defaults,noatime,nosuid,nodev  0  0


The added line ensures that the /tmp directory is mounted as a tmpfs file system with the appropriate security options (noatime, nosuid, nodev) and is configured to mount automatically on boot.

 

Re-mounted /tmp:
After modifying the /etc/fstab file, the system was instructed to apply the new mount configuration immediately by running:

sudo mount -a

 

This command forces the system to re-read the /etc/fstab file and mount any file systems that are not currently mounted, including the newly configured /tmp mount.

 

Re-scanned the Host:
Once the mount configuration was updated and applied, the host was re-scanned to verify the changes. The result of the scan now showed a PASS, indicating that the /tmp directory is correctly configured and mounted according to best practices.

 

unnamed (3).png

Figure 2 : Compliance Rescan For ID 6112_PaloAltoNetworks

 

Summary


Ensuring that the /tmp directory is properly mounted is crucial for both system security and functionality. Here are the key reasons why:

 

  1. Security: The /tmp directory is a world-writable space used by various processes and applications to store temporary files. If /tmp is not mounted with proper security settings (e.g., as tmpfs with options like nosuid, nodev, and noexec), it can become a potential attack vector. Malicious users could exploit it to store and execute malicious scripts, create symbolic links, or escalate privileges. Mounting /tmp with the appropriate options helps mitigate these risks by restricting executable file creation and limiting access to the directory.

  2. System Integrity: When /tmp is mounted as tmpfs (a temporary file system stored in memory), its contents are volatile and get cleared on reboot. This prevents residual sensitive data from lingering on disk. If /tmp is not mounted, temporary files might persist on disk unnecessarily, potentially exposing sensitive information.

  3. System Consistency: Configuring /tmp in /etc/fstab ensures it is automatically mounted with the correct settings at boot time, providing consistency across system reboots. Without this configuration, the system might not correctly mount /tmp on startup, leading to unpredictable behavior or failure of applications that rely on it.

 

In summary, mounting /tmp with appropriate options is essential for securing the system, ensuring proper operation of applications, maintaining performance, and safeguarding sensitive data.

 

Conclusion

 

Prisma Cloud plays a crucial role in ensuring that the /tmp directory is properly mounted and configured according to best security practices. By evaluating the mount status and verifying its configuration in both active mount points and the /etc/fstab file, Prisma Cloud helps ensure that the /tmp directory is securely mounted with the correct options, such as nosuid, nodev, and noexec. This not only prevents potential security vulnerabilities, such as unauthorized code execution or privilege escalation, but also ensures that the system's temporary file storage is consistent and properly managed across reboots.

Given that /tmp is a shared, world-writable directory used by various users and applications, Prisma Cloud’s automated checks and monitoring provide essential visibility and enforcement of system hardening requirements. This proactive approach minimizes risks, improves system reliability, and enhances overall security posture by ensuring that /tmp is correctly configured and compliant with organizational and regulatory standards. In this way, Prisma Cloud is an essential tool in maintaining the integrity and safety of system environments.

 

References

 


About the Author

 

Omoniyi Jabaru is a senior customer success engineer specializing in Prisma Cloud, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. He uses simple approaches to break down complex problems into solutions for global enterprise customers and leverage their multi-industry knowledge to inspire success.



 

 

Rate this article:
0 Likes Likes
  • 183 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎12-10-2024 05:15 PM
Updated by:
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks