Sizing and moving /var/log to meet DISA STIG

baw

6/25/24, 6:03 PM

RHEL 8 DISA has a requirement that /var/log must be on a separate partition. The finding is due to that the main partition might fill up.

I am trying to harden VMs in an Azure Cloud Environment. Since I can terraform any VM of virtually any size, would an appropriate response to this finding be to simply size the VM correctly rather than moving var log?

https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2020-11-25/finding/V-230293

1 + 0

redhat

virtual-machines

azure

Score:1

Server

John Hanley

6/26/24, 7:49 PM

The advisory says to use a separate partition for logs.

In my experience, logs are a common source of denial of service when the root partition fills up.

Assuming you are running VMs in the cloud, you pay for unused disk space, so assuming that you can just make the root partition big enough might not be a good financial decision.

For VMs, creating a separate disk for logs is an easy process to complete. It also makes it easy to see how much disk space is consumed by logs. Log rotation and archiving is one method to manage space consumed by logs, but having a fail safe method is important from a management and security viewpoint.

+ 3

baw

6/26/24, 10:18 PM

Thanks for the advice. This is for on premises instance. /var is on a /dev/mapper partition that was created automatically by the Azure VM process using lvm. File system is XFS. It’s mapped to /dev/sdb. Would you consider this a false positive ? /var is set to about 8 GB

John Hanley

6/26/24, 10:29 PM

@baw - Mounting `/dev/sdb` as `/var` is not the same thing as mounting a file system on `/var/log`. The key item is that `/var/log` should be a separate file system. Note: I prefer that file systems such as `/`, `/var/log`, `/tmp`, etc. are actual disk partitions or entire disk devices. LVM should be used for file systems that should grow such as `/home`. Opinions vary and the correct layout depends on how the system is used, the resources available and backup strategy. To answer your question, no you do not have a false positive. Your layout violates the advisory.

baw

6/27/24, 12:17 AM

Thanks John. I’ll create a new filesystem as suggested for each. /home I plan to use NFS back to an Isilon

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Sizing and moving /var/log to meet DISA STIG

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.