Details

The nosuid mount option specifies that the filesystem cannot contain setuid files.

Rationale:

Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp.

Solution

IF /etc/fstab is used to mount /tmp
Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information.
Run the following command to remount /tmp :

# mount -o remount,nosuid /tmp

OR if systemd is used to mount /tmp:
Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuid to the /tmp mount options:

[Mount]
Options=mode=1777,strictatime,noexec,nodev,nosuid

Run the following command to restart the systemd daemon:

# systemctl daemon-reload

Run the following command to restart tmp.mount:

# systemctl restart tmp.mount

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3468

This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Configuration Management, Identification and Authentication, Media Protection.This control applies to the following type of system Unix.

References

• 800-53|AC-3
• 800-53|CM-1
• 800-53|CM-2
• 800-53|CM-6
• 800-53|CM-7
• 800-53|IA-5
• 800-53|MP-2
• CSCv7|5.1
• CSCv7|13

Source

• Tenable.com/audits