CSEC_PUBLIC/the-practical-linux-hardening-guide
1
0
Fork 0
mirror of https://github.com/trimstray/the-practical-linux-hardening-guide.git synced 2025-12-06 17:22:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

added new header: policy (STIG, CIS)

Browse Source 
- signed-off-by: trimstray <trimstray@gmail.com>
This commit is contained in:
trimstray
2019-02-19 18:20:56 +01:00
parent 42509e3d9e
commit 0390c625f0
2 changed files with 48 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
lib/post_install_tasks/disk_partitions.md
View File

@@ -26,6 +26,12 @@ You should also consider separating these partitions:
- `/var/tmp`
- `/var/log/audit`
###### Policies
- STIG:
- CIS:
###### Useful resources
- [Recommended partitioning scheme](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/installation_guide/s2-diskpartrecommend-x86)
@@ -39,6 +45,12 @@ For more security-focused situations is as follows:
- `nosuid` - specifies that the filesystem cannot contain set userid files. Preventing setuid binaries on a world-writable filesystem makes sense because there's a risk of root escalation or other awfulness there
- `noexec` - this param might be useful for a partition that contains no binaries, like **/var**, or contains binaries you do not want to execute on your system (from partitions with `noexec`), or that cannot even be executed on your system
###### Policies
- STIG:
- CIS:
###### Useful resources
- [Linux Security: Mount /tmp With nodev, nosuid, and noexec Options](https://www.cyberciti.biz/faq/linux-add-nodev-nosuid-noexec-options-to-temporary-storage-partitions/)
@@ -123,6 +135,12 @@ And set `nodev`, `nosuid` and `noexec` mount options in `/etc/fstab`.
> Alternative for **polyinstantiated directories** is **PrivateTmp** feature available from **systemd**. For more information please see: [New Red Hat Enterprise Linux 7 Security Feature: PrivateTmp](https://access.redhat.com/blogs/766093/posts/1976243).
###### Policies
- STIG:
- CIS:
###### Useful resources
- [Increasing Linux server security with nodev, nosuid and no exec options](https://kb.iweb.com/hc/en-us/articles/230267488--Increasing-Linux-server-security-with-nodev-nosuid-and-no-exec-options)
@@ -144,6 +162,12 @@ tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,size=1024M,mode=1777 0 0
tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,size=1024M,mode=1770,uid=root,gid=shm 0 0
```
###### Policies
- STIG:
- CIS:
###### Useful resources
- [Securing /dev/shm partition](https://www.gnutoolbox.com/securing-devshm-partition/)
@@ -158,6 +182,12 @@ proc /proc proc defaults,hidepid=2 0 0
> Some of the services/programs operate incorrectly when the `hidepid` parameter is set, e.g. Nagios checks.
###### Policies
- STIG:
- CIS:
###### Useful resources
- [Linux system hardening: adding hidepid to /proc mount point](https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/)
@@ -190,6 +220,12 @@ cryptdisks_start swap
swapon -a
```
###### Policies
- STIG:
- CIS:
###### Useful resources
- [dm-crypt/Swap encryption](https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption)
@@ -197,6 +233,12 @@ swapon -a
#### :eight_pointed_black_star: Disk quotas
###### Policies
- STIG:
- CIS:
###### Useful resources
- [The Lost Art of Disk Quota Management](https://linuxacademy.com/blog/linux/the-lost-art-of-disk-quota-management/)