On 2/4/11 5:14 PM, "[email protected]" <[email protected]> wrote: > Forum: Cfengine Help > Subject: Re: Cfengine Help: Cfengine 3.1.4 is released - still in /var > Author: Ed > Link to topic: https://cfengine.com/forum/read.php?3,20445,20482#msg-20482 > > I can understand the /var location - the binaries are there for reference, > AFAIK, so noexec should not be a problem on that partition - right? I can't > remember ever setting /var noexec - have to look into that.
NIST, likely more, suggest flags such as noexec and nosuid on /var and other common partitions which don't typically host binaries. As usual, such guides are suggestions that need adjusted for local site conventions! We use a custom workdir, which we support in policy and our locally rolled package (which also handles a lot of other bootstrap tasks), so I don't care too much about defaults. ;-) -- Mike Hoskins / [email protected] / +1 650 506 UNIX (8649) _______________________________________________ Help-cfengine mailing list [email protected] https://cfengine.org/mailman/listinfo/help-cfengine
