The Lynis security audit tool has flagged up the following:
To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]
The online explanation states the following but does not provide a how-to:
Some partitions like /tmp and /home can be easily filled by users of a system. When not being separated from the root file system, this might increase the risk of filling up this file system and cause malfunctioning to other system components.
What would be the best steps for me to follow to achieve the aim? I have. 64GB SD card available for moving /var to.
I would urge you not to blindly follow all the things the Lynis tool flags, especially if this is a desktop.
Is the rest of your OS installed on an SD card? If not, moving
/var there is likely to impact performance.
What is the output of
If your / file system is not at 75% or larger usage then there is no reason for most users to be concerned. If approaching 90+% then you should take steps to allow more space and it is possible that relocating things may help.
The suggestion for having /home on a separate partition is always a good one since most of our downloads other than software installs will go to /home.
df /var indicates 5% used, so not an issue in this instance. If I were to be in the position of needing to free up space in /var, what would be considered the best way of going about it?
Thank you. I’m still developing a feel, as I would put it, for how much weight to give to Lynis recommendations/suggestions. For future questions that I should raise regarding output from Lynis, my questions will be along the lines of “is this point valid and, if so, how best can I implement?”. Thank you again.
Just to make the output of your audit tool understandable:
the reason why it made the /var suggestion while linking it to the issue in the /tmp /home dir, which can be easily filled by users, is simple: the problem a workstation/desktop has with its users in /tmp /home, is the same problem a server has with its daemons/services in /var.
So, the services & daemons of servers store their variable information (including logs, and so on) in /var. So, if a daemon has a flaw, or gets unintended input from the Internet or such, it may completely fill the /var dir (excessive production of logs can be sufficient to fill /var after some time, but there are also other possibilities to fill it). So, servers or other machines that run comparable processes, should separate /var for the same reasons why it makes sense for desktops/workstations to separate /home /tmp (the latter is often a tmpfs anyway).
If you use your system just as normal workstation/desktop, there is usually no need to separate /var, as the daemons you run are not likely to create such situations.
If you want to make some space free in /var, I would start with cleaning up the journalctl , deleting the journal entries that are older than a few days, e.g.,