Want To Suppress Security Configuration Assessment Alert
45 views
Skip to first unread message
Shihab Hossain Shifat
Nov 19, 2025, 10:57:37 AM (3 days ago) Nov 19
to Wazuh | Mailing List
For Security Configuration AssessmentIn attached image you can see /tmp should be in a separate partition. But I want my tmp directory inside same root partition so I don't want it to be show here by using Center for Internet Security Debian Linux 12 Benchmark v1.1.0 policy. How to do it?
Best Regards
Shifat
Best Regards
Shifat
jesusd...@wazuh.com
Nov 20, 2025, 2:14:09 AM (3 days ago) Nov 20
to Wazuh | Mailing List
Hi,
According to the SCA documentation, there are two options to remove this policy benchmark:
On the Wazuh agent node where you want to disable the policy, rename the file /var/ossec/ruleset/sca/cis_debian12.yml by adding the .disabled extension. This file contains the rule 33010.
Alternatively, disable it through the Wazuh agent configuration file located at /var/ossec/etc/ossec.conf. Add a line to the <policy> section of the SCA module specifying the policy file to disable. Ensure you set the enabled attribute to "no".
<sca>
<policies>
<policy enabled="no">etc/shared/<POLICY_FILE_TO_DISABLE></policy>
</policies>
</sca>
<policies>
<policy enabled="no">etc/shared/<POLICY_FILE_TO_DISABLE></policy>
</policies>
</sca>
Note that disabling the file /var/ossec/ruleset/sca/cis_debian12.yml will deactivate all policies contained within it. If you only intend to remove the rule 33010, a more precise approach would be:
- Create a backup of the original cis_debian12.yml file in a secure location. If backing it up within the same directory, ensure the backup file does not end with .yml or .yaml. For example, you can add the .disabled extension:
- cp /var/ossec/ruleset/sca/cis_debian12.yml /var/ossec/ruleset/sca/cis_debian12.yml.disabled
- Open the cis_debian12.yml file in a text editor.
- Locate the block corresponding to rule 33010 and comment it out by adding the # symbol. This section is typically between lines 43 and 69.
Example with 33010 rule commented out in /var/ossec/ruleset/sca/cis_debian12.yml
# 1.1.2.1.1 Ensure /tmp is a separate partition. (Automated)
# - id: 33010
# title: "Ensure /tmp is a separate partition."
# description: 'The /tmp directory is a world-writable directory used for temporary storage by all users and some applications. - IF - an entry for /tmp exists in /etc/fstab it will take precedence over entries in systemd default unit file. Note: In an environment where the main system is diskless and connected to iSCSI, entries in /etc/fstab may not take precedence. /tmp can be configured to use tmpfs. tmpfs puts everything into the kernel internal caches and grows and shrinks to accommodate the files it contains and is able to swap unneeded pages out to swap space. It has maximum size limits which can be adjusted on the fly via mount -o remount. Since tmpfs lives completely in the page cache and on swap, all tmpfs pages will be shown as "Shmem" in /proc/meminfo and "Shared" in free. Notice that these counters also include shared memory. The most reliable way to get the count is using df and du. tmpfs has three mount options for sizing: - size: The limit of allocated bytes for this tmpfs instance. The default is half of your physical RAM without swap. If you oversize your tmpfs instances the machine will deadlock since the OOM handler will not be able to free that memory. - nr_blocks: The same as size, but in blocks of PAGE_SIZE. - nr_inodes: The maximum number of inodes for this instance. The default is half of the number of your physical RAM pages, or (on a machine with highmem) the number of lowmem RAM pages, whichever is the lower. These parameters accept a suffix k, m or g and can be changed on remount. The size parameter also accepts a suffix % to limit this tmpfs instance to that percentage of your physical RAM. The default, when neither size nor nr_blocks is specified, is size=50%.'
# rationale: "Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken, and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
# impact: "By design files saved to /tmp should have no expectation of surviving a reboot of the system. tmpfs is ram based and all files stored to tmpfs will be lost when the system is rebooted. If files need to be persistent through a reboot, they should be saved to /var/tmp not /tmp. Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to tmpfs or a separate partition. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a configuration where /tmp is not a separate file system it will essentially have the whole disk available, as the default installation only creates a single / partition. On the other hand, a RAM-based /tmp (as with tmpfs) will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. Another alternative is to create a dedicated partition for /tmp from a separate volume or disk. One of the downsides of a disk-based dedicated partition is that it will be slower than tmpfs which is RAM-based."
# remediation: "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs /tmp 0 tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 Note: the size=2G is an example of setting a specific size for tmpfs. Example of using a volume or disk with specific mount options. The source location of the volume or disk will vary depending on your environment: <device> /tmp <fstype> defaults,nodev,nosuid,noexec 0 0."
# references:
# - "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
# - "https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html"
# - "https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt"
# compliance:
# - cis: ["1.1.2.1.1"]
# - cis_csc_v8: ["4.8"]
# - cis_csc_v7: ["9.2"]
# - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
# - iso_27001-2013: ["A.13.1.3"]
# - mitre_mitigations: ["M1022"]
# - mitre_tactics: ["TA0005"]
# - mitre_techniques: ["T1499", "T1499.001"]
# - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
# - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
# - soc_2: ["CC6.3", "CC6.6"]
# condition: all
# rules:
# - 'c:findmnt -kn /tmp -> r:^\s*/tmp\s'
# - "c:systemctl is-enabled tmp.mount -> !r:masked|disabled && r:generated|enabled"
# - id: 33010
# title: "Ensure /tmp is a separate partition."
# description: 'The /tmp directory is a world-writable directory used for temporary storage by all users and some applications. - IF - an entry for /tmp exists in /etc/fstab it will take precedence over entries in systemd default unit file. Note: In an environment where the main system is diskless and connected to iSCSI, entries in /etc/fstab may not take precedence. /tmp can be configured to use tmpfs. tmpfs puts everything into the kernel internal caches and grows and shrinks to accommodate the files it contains and is able to swap unneeded pages out to swap space. It has maximum size limits which can be adjusted on the fly via mount -o remount. Since tmpfs lives completely in the page cache and on swap, all tmpfs pages will be shown as "Shmem" in /proc/meminfo and "Shared" in free. Notice that these counters also include shared memory. The most reliable way to get the count is using df and du. tmpfs has three mount options for sizing: - size: The limit of allocated bytes for this tmpfs instance. The default is half of your physical RAM without swap. If you oversize your tmpfs instances the machine will deadlock since the OOM handler will not be able to free that memory. - nr_blocks: The same as size, but in blocks of PAGE_SIZE. - nr_inodes: The maximum number of inodes for this instance. The default is half of the number of your physical RAM pages, or (on a machine with highmem) the number of lowmem RAM pages, whichever is the lower. These parameters accept a suffix k, m or g and can be changed on remount. The size parameter also accepts a suffix % to limit this tmpfs instance to that percentage of your physical RAM. The default, when neither size nor nr_blocks is specified, is size=50%.'
# rationale: "Making /tmp its own file system allows an administrator to set additional mount options such as the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hard link to a system setuid program and wait for it to be updated. Once the program was updated, the hard link would be broken, and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp."
# impact: "By design files saved to /tmp should have no expectation of surviving a reboot of the system. tmpfs is ram based and all files stored to tmpfs will be lost when the system is rebooted. If files need to be persistent through a reboot, they should be saved to /var/tmp not /tmp. Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to tmpfs or a separate partition. Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a configuration where /tmp is not a separate file system it will essentially have the whole disk available, as the default installation only creates a single / partition. On the other hand, a RAM-based /tmp (as with tmpfs) will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily. Another alternative is to create a dedicated partition for /tmp from a separate volume or disk. One of the downsides of a disk-based dedicated partition is that it will be slower than tmpfs which is RAM-based."
# remediation: "First ensure that systemd is correctly configured to ensure that /tmp will be mounted at boot time. # systemctl unmask tmp.mount For specific configuration requirements of the /tmp mount for your environment, modify /etc/fstab. Example of using tmpfs with specific mount options: tmpfs /tmp 0 tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 Note: the size=2G is an example of setting a specific size for tmpfs. Example of using a volume or disk with specific mount options. The source location of the volume or disk will vary depending on your environment: <device> /tmp <fstype> defaults,nodev,nosuid,noexec 0 0."
# references:
# - "https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/"
# - "https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html"
# - "https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt"
# compliance:
# - cis: ["1.1.2.1.1"]
# - cis_csc_v8: ["4.8"]
# - cis_csc_v7: ["9.2"]
# - cmmc_v2.0: ["CM.L2-3.4.7", "CM.L2-3.4.8", "SC.L2-3.13.6"]
# - iso_27001-2013: ["A.13.1.3"]
# - mitre_mitigations: ["M1022"]
# - mitre_tactics: ["TA0005"]
# - mitre_techniques: ["T1499", "T1499.001"]
# - pci_dss_v3.2.1: ["1.1.6", "1.2.1", "2.2.2", "2.2.5"]
# - pci_dss_v4.0: ["1.2.5", "2.2.4", "6.4.1"]
# - soc_2: ["CC6.3", "CC6.6"]
# condition: all
# rules:
# - 'c:findmnt -kn /tmp -> r:^\s*/tmp\s'
# - "c:systemctl is-enabled tmp.mount -> !r:masked|disabled && r:generated|enabled"
Shihab Hossain Shifat
Nov 21, 2025, 2:03:04 AM (yesterday) Nov 21
to Wazuh | Mailing List
Hi Garcia,
It worked. Thanks for your support.
I have a couple of questions regarding CIS:
-
When I comment out a rule, it doesn’t seem to affect the passing score. Is there any way to make the score reflect the commented rule?
-
How often is the file /var/ossec/ruleset/sca/cis_debian12.yml updated?
-
When it updates, will my commented lines be overwritten again?
Best regards,
Shifat
jesusd...@wazuh.com
2:37 AM (20 hours ago) 2:37 AM
to Wazuh | Mailing List
Hi,
I'm glad to hear it worked for you!
Take into account:
- Please ensure you run the SCA scan again after disabling the intended policies.
- After doing so, the score numbers and percentages must adapt to the new number of available policies
- The /var/ossec/ruleset/sca/cis_debian12.yml file is not frequently modified. It is only updated when installing new Wazuh versions or upgrading from older ones. While the latest versions appear to leave this file unchanged, future updates may include modifications.
- It is possible that future updates to the file could conflict with your changes. For this reason, I strongly recommend creating a backup of the policies to safeguard against potential errors or issues.
If you have any additional questions, please don't hesitate to start a new thread/conversation/issue.
Reply all
Reply to author
Forward
0 new messages