files/etc/systemd/system/tmp.mount is switching /tmp to tmpfs about rhel7-cis HOT 7 CLOSED

The default tmp.mount that comes with rhel7 is tmpfs, but it is disabled by default.
This role implements a security enhanced version of the redhat provided mount file.
What are your specific concerns? The role could potentially be extended to support non tmpfs.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/migration_planning_guide/sect-red_hat_enterprise_linux-migration_planning_guide-file_system_layout#sect-Red_Hat_Enterprise_Linux-Migration_Planning_Guide-File_System_Layout-Temporary_storage_space

from rhel7-cis.

ram consumption.
oracle or similar process already has dibs on large chunk of the RAM, user or process consumes /tmp which is backed by RAM, perhaps inadvertently

i am going to leave it as for the majority of our boxes and flip the configuration on our oracle boxes

from rhel7-cis.

@erpadmin I have the same concern. Will you just override the file from within another role, and call systemd to reload?

from rhel7-cis.

yes that is the plan for an oracle role which runs after CIS. we already already having issues with Oracle and noexec on /tmp since Oracle's runinstaller has a habit of coping the installer to /tmp and then executes it.

from rhel7-cis.

You shouldn't need a separate role, just set the following to false in your group_vars

rhel7cis_rule_1_1_2
rhel7cis_rule_1_1_3
rhel7cis_rule_1_1_4
rhel7cis_rule_1_1_5

from rhel7-cis.

in the context of only CIS sure no separate role would be needed.

i use a common roles and application specific roles during initial build outs so its simpler for me to to add "nonstandard" changes elsewhere otherwise sooner or later those CIS variables get left set incorrectly by someone

from rhel7-cis.

closing issue

from rhel7-cis.