Title

The system must use a separate file system for /var. (Cat III impact)

Discussion

Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories, installed by other software packages.

Check Content

Run the following command to determine if "/var" is on its own partition or logical volume: $ mount | grep "on /var " If "/var" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.

Fix Text

The "/var" directory is used by daemons and other system services to store frequently-changing data. Ensure that "/var" has its own partition or logical volume at installation time, or migrate it using LVM.

Additional Identifiers

Rule ID: SV-217847r603264_rule

Vulnerability ID: V-217847

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.