1.1.2.4.1 Ensure separate partition exists for /var

Information

The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable.

The reasoning for mounting /var on a separate partition is as follows.

The default installation only creates a single / partition. Since the /var directory may contain world writable files and directories, there is a risk of resource exhaustion. It will essentially have the whole disk available to fill up and impact the system. In addition, other operations on the system could fill up the disk unrelated to /var and cause unintended behavior across the system as the disk is full. See man auditd.conf for details.

Configuring /var as its own file system allows an administrator to set additional mount options such as noexec/nosuid/nodev These options limit an attacker's ability to create exploits on the system. Other options allow for specific behavior. See man mount for exact details regarding filesystem-independent and filesystem-specific options.

An example of exploiting /var may be an attacker establishing a hard-link to a system setuid program and waiting for it to be updated. Once the program is updated, the hard-link can be broken and the attacker would have their own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.

Solution

For new installations, during installation create a custom partition setup and specify a separate partition for /var

For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.

Impact:

Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.

See Also

https://workbench.cisecurity.org/benchmarks/18210