Yes, you can automate the steps to secure the /tmp directory using a shell script. Below is an example script that implements several of the security measures discussed:
#!/bin/bash
# Set proper permissions for /tmp
chmod 1777 /tmp
echo "Set permissions to 1777 for /tmp"
# Modify /etc/fstab to mount /tmp with noexec, nosuid, and nodev options
if ! grep -q "/tmp" /etc/fstab; then
echo "tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0" >> /etc/fstab
echo "Added /tmp entry to /etc/fstab with noexec, nosuid, and nodev options"
else
echo "/tmp entry already exists in /etc/fstab"
fi
# Limit size of /tmp (optional, adjust size as needed)
if ! grep -q "size=" /etc/fstab; then
sed -i '/\/tmp/ s/defaults/defaults,size=1G/' /etc/fstab
echo "Limited size of /tmp to 1G in /etc/fstab"
else
echo "Size limit already set for /tmp in /etc/fstab"
fi
# Create a cron job for regular cleanup (e.g., daily cleanup of files older than 7 days)
CRON_JOB="0 0 * * * find /tmp -type f -mtime +7 -exec rm {} \;"
(crontab -l; echo "$CRON_JOB") | crontab -
echo "Scheduled daily cleanup of /tmp for files older than 7 days"
# Notify user
echo "Automation of /tmp security measures completed. Please reboot for changes to take effect."Instructions to Use the Script:
-
Create the Script:
Save the above script to a file, for example,secure_tmp.sh. -
Make it Executable:
Run the following command to make the script executable:chmod +x secure_tmp.sh -
Run the Script:
Execute the script with root privileges:sudo ./secure_tmp.sh
Important Notes:
- Backup: Always back up your
/etc/fstabfile before making changes. - Reboot: Some changes (like those in
/etc/fstab) will require a reboot to take effect. - Adjust Size: Modify the size limit in the script as needed based on your requirements.
- Test: Test the script in a safe environment before deploying it on production systems.
