Wiki

User Tools

Site Tools

Trace: mount_logs_and_temporary_directories_in_ram
ubuntu:ram_disk:mount_logs_and_temporary_directories_in_ram

Table of Contents

Ubuntu - Ram Disk - Mount Logs and Temporary Directories in RAM

To enhance user privacy and reduce the risk of activity tracking on Linux systems, mount temporary directories such as /tmp, /var/tmp, and /var/log in RAM using tmpfs.

  • This ensures these directories are cleared at every reboot, leaving no logs or temp files behind.
  • The tmpfs filesystem is a RAM-based filesystem that stores all data in volatile memory rather than on a persistent storage device, making it ideal for privacy-focused configurations.

To keep the system functional, the needed log directory structure is automatically created at startup, ensuring that applications expecting these directories will not fail and critical system services can still operate normally.

The directories being focused on include:

  • /tmp – Used by applications for temporary files that often contain sensitive information.
  • /var/tmp – Similar to /tmp but usually preserved between reboots (this behavior will be changed).
  • /var/log – Contains system and application logs that can reveal user activity patterns and behavior.

The Security and Privacy Benefits, include:

  • No Persistent Logs: All activity records vanish completely after shutdown, leaving no forensic trail.
  • Reduced Disk Wear: Fewer writes to SSD or HDD improve drive longevity, especially for SSDs with limited write cycles.
  • Performance Boost: RAM is significantly faster than disk storage, improving system performance for temporary file operations.
  • Protection Against Data Recovery: Even advanced forensic tools cannot recover data that was never written to disk.

WARNING: All activity logs will exist only in RAM and be completely erased when your system powers down or reboots, leaving no trace for forensic analysis.

  • There will be no ability to access logs from previous sessions.

Edit fstab

Edit fstab to use tmpfs.

  • Add tmpfs mount entries for /tmp, /var/tmp, and /var/log.

Append the following lines to mount these directories in RAM:

/etc/fstab
tmpfs /tmp       tmpfs defaults,noatime,mode=1777,size=512M 0 0
tmpfs /var/tmp   tmpfs defaults,noatime,mode=1777,size=512M 0 0
tmpfs /var/log   tmpfs defaults,noatime,mode=0755,size=50M  0 0

NOTE: These entries mount the target directories into RAM on each boot with limited memory usage.

  • defaults – Uses the default mount options for tmpfs.
  • noatime – Disables updating access time on files, reducing unnecessary writes to RAM.
  • mode=1777 – Sets permissions to allow all users to write to the directory but prevents them from deleting files owned by others (sticky bit).
  • mode=0755 – For /var/log, sets more restrictive permissions appropriate for log files.
  • size=512M or size=50M – Limits the maximum amount of RAM each directory can use to prevent memory exhaustion.
  • 0 0 – Disables filesystem checking and backup operations as they’re unnecessary for tmpfs.

The amount of RAM for /var/log can be increased as needed.

  • Just ensure there is enough memory available.
  • For systems with heavy logging, perhaps increase this from 50M to 100M or more.
  • To see how much space is being used, monitor the RAM usage with: 
    df -h /var/log
  • if the system has limited RAM, allocating too much to tmpfs could lead to memory pressure.
    • Start with conservative sizes and adjust based on the system resources and needs.

Create a systemd service to recreate log structure

Ensure that essential /var/log sub-directories exist after reboot.

Create the file /etc/systemd/system/log-tmpfs-init.service, with the following content:

/etc/systemd/system/log-tmpfs-init.service
[Unit]
Description=Initialize /var/log directory structure
DefaultDependencies=no
After=local-fs.target
Before=multi-user.target
 
[Service]
Type=oneshot
ExecStart=/usr/local/bin/init-log-tmpfs.sh
RemainAfterExit=true
 
[Install]
WantedBy=multi-user.target

NOTE: This systemd unit runs a script on boot to recreate the log directory layout.

  • It executes early in the boot process after filesystems are mounted but before most services start, runs once to initialize directories, and remains marked as active afterward.
  • The service is configured to start automatically during normal system boot.

Create the log structure script

This script will rebuild critical directories

Create the file /usr/local/bin/init-log-tmpfs.sh, with the following content:

/usr/local/bin/init-log-tmpfs.sh
#!/bin/bash
 
# Create essential log directories used by various system services.
mkdir -p /var/log/journal /var/log/cups /var/log/lightdm /var/log/apt /var/log/installer /var/log/nginx /var/log/mysql
 
# Create essential log files that some applications explicitly check for.
touch /var/log/wtmp /var/log/btmp /var/log/lastlog
 
# Set correct ownership and permissions on authentication log files.
chown root:utmp /var/log/wtmp /var/log/btmp
chmod 664 /var/log/wtmp /var/log/btmp
chmod 644 /var/log/lastlog
 
# Restart the journal service to ensure it writes to the newly created directories.
systemctl restart systemd-journald

NOTE: This script creates the necessary directory structure and files for system functionality.

  • It sets up log directories for critical services (systemd, printing, display, package management, etc.).
  • It creates essential authentication log files (wtmp, btmp, lastlog).
  • It applies proper security permissions.
  • It restarts the journaling service to ensure it recognizes the new structure.

Make the log structure script executable

sudo chmod +x /usr/local/bin/init-log-tmpfs.sh

Enable the log-tmpfs-init service and reload systemd

Apply the changes to systemd: 

sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl enable log-tmpfs-init.service

NOTE: These commands refresh the systemd configuration, apply the new service definition, and enable the new log-tmpfs-init service to start automatically at boot time.

  • daemon-reexec - ensures systemd itself is restarted with the new configuration.
  • daemon-reload - makes systemd aware of our new service file.
  • enable log-tmpfs-init.service - sets up the service to run on each system startup.

Reboot

sudo reboot

NOTE: A system reboot is necessary to fully apply the tmpfs mounts defined in fstab.

  • After rebooting, the temporary directories will be mounted in RAM, and the log structure will be automatically recreated by our systemd service.
  • This ensures a clean system state with privacy protection active.

Test the new configuration

Verify that everything is working correctly. 

mount | grep tmpfs
ls -la /var/log
df -h | grep tmpfs

NOTE: After rebooting, these commands will help to verify that this configuration is working properly.

  • The first command confirms that the directories are indeed mounted as tmpfs filesystems.
  • The second command shows that the log directory structure has been properly recreated by the new log-tmpfs-init service.
  • The third command displays the size and usage of the tmpfs mounts, which allows the monitoring of memory usage and ensures the allocated sizes are appropriate for the system.

How to troubleshooting issues if all logs are cleared at reboot

For troubleshooting specific issues, temporarily set up selective log persistence by creating a small script that copies important logs to a secure location before shutdown.

  • Alternatively, temporarily disable the tmpfs mounts by commenting out the relevant lines in /etc/fstab and rebooting.

TAGS

  • TAG: Administration
  • TAG: Filesystem
  • TAG: Privacy
  • TAG: Scripting
  • TAG: Security
ubuntu/ram_disk/mount_logs_and_temporary_directories_in_ram.txt · Last modified: 2025/05/21 08:39 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki