Run foreman.service with systemd PrivateTmp=true
When foreman.service or foreman-proxy.service is started, it creates world-writable directory `/tmp/bundler/home`. Some users have reported that this triggers alarms in their security scans. Daemons that use `PrivateTmp=true` in their Systemd unit files create tmp directories at `/tmp/systemd-private-*-httpd.service-*/` instead with correct directory permissions.
As an example, PrivateTmp=true is the default setting for httpd shipped from RHEL-7 onwards .