SysAdminGear

Keep you server clean of rookits is a good idea to get a good security level. A sysadministrator can create a seperate partition for /tmp and mount it with noexec and nosuid parameters. And to do it is not necessary to reboot or repartition your drive.

1. First you should secure /tmp:

Make a 1GB file for /tmp parition and an ext3 filesystem for tmp:
# dd if=/dev/zero of=/dev/tmpFS bs=1024 count=1000000
# /sbin/mkfs.ext3 /dev/tmpFS

Create a backup copy of your current /tmp drive:
# cp -Rpf /tmp /tmpbackup

Mount our new tmp parition and change permissions:
# mount -o loop,noexec,nosuid,rw /dev/tmpFS /tmp
# chmod 1777 /tmp

Copy the old data:
cp -Rpf /tmpbackup/* /tmp/

If you run the mount command and you should get something like this:
/dev/tmpMnt on /tmp type ext3 (rw,noexec,nosuid,loop=/dev/loop0)

Edit /etc/fstab and add this:
/dev/tmpMnt /tmp ext3 loop,nosuid,noexec,rw 0 0

Test your fstab entry:
# mount -o remount /tmp

You can test it runnig a script on /tmp partitio, if you get "permission denied" it is fine :)


2. Secure /var/tmp:

It should be done because some applications use /var/tmp as the temporary folder, and anything that's accessible by all, needs to be secured.

Rename it and create a symbolic link to /tmp:
# mv /var/tmp /var/tmp1
# ln -s /tmp /var/tmp

Copy the old data back:
# cp /var/tmpold/* /tmp/

Note: you should restart and services that uses /tmp partition

3. Securing /dev/shm:

To get all the work well done, you should secure /dev/shm to stop rootkits running here.

Edit your /etc/fstab:
# nano /etc/fstab

change:
"none /dev/shm tmpfs defaults,rw 0 0" to
"none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0"

Remount /dev/shm:
# mount -o remount /dev/shm

It should be fine now. You can also read related posts:
How to install Rkhunter
How to install Rootcheck