Other Articles

Servers – Configure /var Partition

Support > Fixing Checks > Server

02 March, 2026

This check ensures that the /var partition is configured with the secure mount options nodev, nosuid, and noexec. The /var directory stores variable system data such as logs, mail spools, caches, and application data. Without these restrictions, attackers may exploit writable directories to create device files, execute malicious binaries, or escalate privileges.

Check Details

  • Resource: Server

  • Checks:

    • Ensure nosuid option set on /var partition
    • Ensure noexec option set on /var partition
    • Ensure nodev option set on /var partition
  • Risk: If the /var partition is not mounted with the secure mount options nodev, nosuid, and noexec, attackers may create device files, execute malicious programs, or use setuid binaries to escalate privileges and compromise the system.

Remediation Steps

  1. Open a terminal session on the target server with root or sudo privileges.

  2. Remount the /var partition with secure mount options to prevent device files, privilege escalation, and execution of binaries.

    sudo mount -o remount,nodev,nosuid,noexec /var

Note: On Container-Optimized OS, the /etc directory is stateless. Therefore, mount configuration changes will not persist across system reboots. The remediation step must be performed again after each system boot.