diff --git a/lib/post_install_tasks/disk_partitions.md b/lib/post_install_tasks/disk_partitions.md index 9f8cd51..26d7bcc 100644 --- a/lib/post_install_tasks/disk_partitions.md +++ b/lib/post_install_tasks/disk_partitions.md @@ -26,6 +26,12 @@ You should also consider separating these partitions: - `/var/tmp` - `/var/log/audit` +###### Policies + +- STIG: + +- CIS: + ###### Useful resources - [Recommended partitioning scheme](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/installation_guide/s2-diskpartrecommend-x86) @@ -39,6 +45,12 @@ For more security-focused situations is as follows: - `nosuid` - specifies that the filesystem cannot contain set userid files. Preventing setuid binaries on a world-writable filesystem makes sense because there's a risk of root escalation or other awfulness there - `noexec` - this param might be useful for a partition that contains no binaries, like **/var**, or contains binaries you do not want to execute on your system (from partitions with `noexec`), or that cannot even be executed on your system +###### Policies + +- STIG: + +- CIS: + ###### Useful resources - [Linux Security: Mount /tmp With nodev, nosuid, and noexec Options](https://www.cyberciti.biz/faq/linux-add-nodev-nosuid-noexec-options-to-temporary-storage-partitions/) @@ -123,6 +135,12 @@ And set `nodev`, `nosuid` and `noexec` mount options in `/etc/fstab`. > Alternative for **polyinstantiated directories** is **PrivateTmp** feature available from **systemd**. For more information please see: [New Red Hat Enterprise Linux 7 Security Feature: PrivateTmp](https://access.redhat.com/blogs/766093/posts/1976243). +###### Policies + +- STIG: + +- CIS: + ###### Useful resources - [Increasing Linux server security with nodev, nosuid and no exec options](https://kb.iweb.com/hc/en-us/articles/230267488--Increasing-Linux-server-security-with-nodev-nosuid-and-no-exec-options) @@ -144,6 +162,12 @@ tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,size=1024M,mode=1777 0 0 tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,size=1024M,mode=1770,uid=root,gid=shm 0 0 ``` +###### Policies + +- STIG: + +- CIS: + ###### Useful resources - [Securing /dev/shm partition](https://www.gnutoolbox.com/securing-devshm-partition/) @@ -158,6 +182,12 @@ proc /proc proc defaults,hidepid=2 0 0 > Some of the services/programs operate incorrectly when the `hidepid` parameter is set, e.g. Nagios checks. +###### Policies + +- STIG: + +- CIS: + ###### Useful resources - [Linux system hardening: adding hidepid to /proc mount point](https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/) @@ -190,6 +220,12 @@ cryptdisks_start swap swapon -a ``` +###### Policies + +- STIG: + +- CIS: + ###### Useful resources - [dm-crypt/Swap encryption](https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption) @@ -197,6 +233,12 @@ swapon -a #### :eight_pointed_black_star: Disk quotas +###### Policies + +- STIG: + +- CIS: + ###### Useful resources - [The Lost Art of Disk Quota Management](https://linuxacademy.com/blog/linux/the-lost-art-of-disk-quota-management/) diff --git a/lib/services/disable_all_unnecessary_services.md b/lib/services/disable_all_unnecessary_services.md index 23dca72..688c611 100644 --- a/lib/services/disable_all_unnecessary_services.md +++ b/lib/services/disable_all_unnecessary_services.md @@ -20,3 +20,9 @@ Run the following command to disable cups: ```bash # systemctl disable cups ``` + +###### Policies + +- STIG: + +- CIS: