Detections
Analytics

1.1.2.6.2 Ensure nodev option set on /var/log partition

Information

The nodev mount option specifies that the filesystem cannot contain special devices.

Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /var/log.

Solution

- IF - a separate partition exists for /var/log.

Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/log partition.

Example:

<device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0

Run the following command to remount /var/log with the configured options:

# mount -o remount /var/log

See Also

https://workbench.cisecurity.org/benchmarks/26236

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|CM-7(2), 800-53|MP-2, CSCv7|14.6, Rule-ID|SV-230514r854055_rule, Vuln-ID|V-230514

Plugin: Unix

Control ID: 32d00ff5e4f26ec9c8b7942319917a4764fc33b55efa64d5f31d74b1395e90f6