1.1.6.1 Ensure separate partition exists for /var/log/audit

Information

The auditing daemon, auditd stores log data in the /var/log/audit directory.

The reasoning for mounting /var/log/audit on a separate partition is as follows.

Protection from resource exhaustion

The default installation only creates a single / partition. Since the /var/log/audit directory contains the audit.log file which can grow quite large, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system as a whole. In addition, other operations on the system could fill up the disk unrelated to /var/log/audit and cause auditd to trigger it's space_left_action as the disk is full. See man auditd.conf for details.

Fine grained control over the mount

Configuring /var/log/audit as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options.

Protection of audit data

As /var/log/audit contains audit logs, care should be taken to ensure the security and integrity of the data and mount point.

Solution

For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit

For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.

Impact:

Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.

See Also

https://workbench.cisecurity.org/files/4226