On 2/4/11 5:14 PM, "no-re...@cfengine.com" <no-re...@cfengine.com> wrote: > Forum: Cfengine Help > Subject: Re: Cfengine Help: Cfengine 3.1.4 is released - still in /var > Author: Ed > Link to topic: https://cfengine.com/forum/read.php?3,20445,20482#msg-20482 > > I can understand the /var location - the binaries are there for reference, > AFAIK, so noexec should not be a problem on that partition - right? I can't > remember ever setting /var noexec - have to look into that.
NIST, likely more, suggest flags such as noexec and nosuid on /var and other common partitions which don't typically host binaries. As usual, such guides are suggestions that need adjusted for local site conventions! We use a custom workdir, which we support in policy and our locally rolled package (which also handles a lot of other bootstrap tasks), so I don't care too much about defaults. ;-) -- Mike Hoskins / micho...@cisco.com / +1 650 506 UNIX (8649) _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
