minor fixes, updated 'Disk partitions'

- signed-off-by: trimstray <trimstray@gmail.com>

README.md

@@ -70,13 +70,15 @@
   * **[Disk partitions](#disk-partitions)**
     + [Introduction](#information_source-introduction-3)
     + [Separate disk partitions](#eight_pointed_black_star-separate-disk-partitions)
-    + [Lock the boot directory](#eight_pointed_black_star-lock-the-boot-directory)
-    + [Secure /tmp and /var/tmp](#eight_pointed_black_star-secure-tmp-and-var-tmp)
+    + [Mount options: nodev, noexec and nosuid](#eight_pointed_black_star-mount-options-nodev-noexec-and-nosuid)
+    + [Secure /boot directory](#eight_pointed_black_star-secure-boot-directory)
+    + [Secure /tmp and /var/tmp](#eight_pointed_black_star-secure-tmp-var-tmp)
+    + [Secure /dev/shm](#eight_pointed_black_star-secure-dev-shm)
     + [Disk quotas](#eight_pointed_black_star-disk-quotas)
     + [Summary checklist](#ballot_box_with_check-summary-checklist-3)
   * **[Keep system updated](#keep-system-updated)**
   * [Package management](#package-management)
-    + [Automiatic security updates](#automatic-security-updates)
+    + [Automatic security updates](#automatic-security-updates)
     + [Remove packages with known issues](#remove-packages-with-known-issues)
   * [Netfilter ruleset](#netfilter-ruleset)
   * [TCP wrapper](#tcp-wrapper)
@@ -334,9 +336,6 @@ grub2-install /dev/sda
 - swap area is not required to survive a reboot, therefore a new random encryption key can be chosen each time the swap area is activated
 - get the key from `/dev/urandom` because `/dev/random` maybe stalling your boot sequence
 
-  > More details can be found here (Bootloader configuration (grub) section):
-  > - [Swap partition](#eight_pointed_black_star-swap-partition-1)
-
 #### :ballot_box_with_check: Summary checklist
 
 | <b>Item</b> | <b>True</b> | <b>False</b> |
@@ -437,7 +436,6 @@ Make sure the following filesystems are mounted on separate partitions:
 - `/boot`
 - `/tmp`
 - `/var`
-- `/var/tmp` (or symlink for `/tmp`)
 - `/var/log`
 
 Additionally, depending on the purpose of the server, you should consider separating the following partitions:
@@ -446,31 +444,112 @@ Additionally, depending on the purpose of the server, you should consider separa
 - `/home`
 - `/var/www`
 
-#### :eight_pointed_black_star: Read-only boot directory
+You should also consider separating these partitions:
+
+- `/var/tmp`
+- `/var/log/audit`
+
+#### :eight_pointed_black_star: Mount options: nodev, nosuid and noexec
+
+For more security-focused situations is as follows:
+
+- `nodev` - specifies that the filesystem cannot contain special devices: This is a security precaution. You don't want a user world-accessible filesystem like this to have the potential for the creation of character devices or access to random device hardware
+- `nosuid` - specifies that the filesystem cannot contain set userid files. Preventing setuid binaries on a world-writable filesystem makes sense because there's a risk of root escalation or other awfulness there
+- `noexec` - this param might be useful for a partition that contains no binaries, like **/var**, or contains binaries you do not want to execute on your system (from partitions with `noexec`), or that cannot even be executed on your system
+
+#### :eight_pointed_black_star: Secure /boot directory
 
 The boot directory contains important files related to the Linux kernel, so you need to make sure that this directory is locked down to read-only permissions.
 
-Add **ro** option to `/etc/fstab` for **/boot** entry:
+Add **ro** option and `nodev`, `nosuid` and `noexec` to `/etc/fstab` for **/boot** entry:
 
 ```bash
-LABEL=/boot   /boot   ext2  defaults,ro   1 2
+LABEL=/boot  /boot  ext2  defaults,ro,nodev,nosuid,noexec  1 2
 ```
 
-#### :eight_pointed_black_star: Secure /tmp, /var/tmp and /dev/shm
+  > When updating the kernel you will have to move the flag to `rw`:
+  > ```bash
+  > mount -o remount,defaults,rw /boot
+  > ```
 
+#### :eight_pointed_black_star: Secure /tmp and /var/tmp
 
+On Linux systems, the **/tmp** and **/var/tmp** locations are world-writable.
+
+Several daemons/applications use the **/tmp** or **/var/tmp** directories to temporarily store data, log information, or to share information between their sub-components. However, due to the shared nature of these directories, several attacks are possible, including:
+
+- Leaks of confidential data via secrets in file names
+- Race-condition attacks (TOCTOU) on the integrity of processes and data
+- Denial-of-Service (DoS) attacks based on race conditions and pre-allocating file/directory names
+
+As a rule of thumb, malicious applications usually write to **/tmp** and then attempt to run whatever was written. A way to prevent this is to mount **/tmp** on a separate partition with the options `nodev`, `nosuid` and `noexec` enabled.
+
+This will deny binary execution from **/tmp**, disable any binary to be suid root, and disable any block devices from being created.
+
+**The first possible options is create symlink**
+
+```bash
+mv /var/tmp /var/tmp.old
+ln -s /tmp /var/tmp
+cp -prf /var/tmp.old /tmp && rm -fr /var/tmp.old
+```
+
+and set properly mount params:
+
+```bash
+UUID=<...>  /tmp  ext4  defaults,nodev,nosuid,noexec  1 2
+```
+
+**The second solution is a bind mount**
+
+The storage location **/var/tmp** should be bind mounted to **/tmp**, as having multiple locations for temporary storage is not required:
+
+```bash
+/tmp  /var/tmp  none  rw,nodev,nosuid,noexec,bind  0 0
+```
+
+**The third solution is setting up polyinstantiated directories**
+
+Create new directories:
+
+```bash
+mkdir --mode 000 /tmp-inst
+mkdir --mode 000 /var/tmp/tmp-inst
+```
+
+Edit `/etc/security/namespace.conf`:
+
+```bash
+ /tmp      /tmp-inst/          level  root,adm
+ /var/tmp  /var/tmp/tmp-inst/  level  root,adm
+```
+
+Set correct SELinux context:
+
+```bash
+setsebool polyinstantiation_enabled=1
+chcon --reference=/tmp /tmp-inst
+chcon --reference=/var/tmp/ /var/tmp/tmp-inst
+```
+
+And set `nodev`, `nosuid` and `noexec` mount options in `/etc/fstab`.
+
+  > Alternative for **polyinstantiated directories** is **PrivateTmp** feature available from **systemd**. For more information please see: [New Red Hat Enterprise Linux 7 Security Feature: PrivateTmp](https://access.redhat.com/blogs/766093/posts/1976243).
+
+#### :eight_pointed_black_star: Secure /dev/shm
 
 #### :eight_pointed_black_star: Swap partition
 
-In addition, the `/boot` partition may be a weak point if you use encryption methods for the rest of the disk.
-
 #### :eight_pointed_black_star: Disk quotas
 
-In addition, the `/boot` partition may be a weak point if you use encryption methods for the rest of the disk.
-
 #### :ballot_box_with_check: Summary checklist
 
 | <b>Item</b> | <b>True</b> | <b>False</b> |
 | :---        | :---:       | :---:        |
-| Separate `/boot` partition | :black_square_button: | :black_square_button: |
-| `/boot` partition located on external drive | :black_square_button: | :black_square_button: |
+| Separate base partition scheme: `/boot`, `/tmp`, `/var`, `/var/log` | :black_square_button: | :black_square_button: |
+| Separate `/usr` partition | :black_square_button: | :black_square_button: |
+| Separate `/home` partition | :black_square_button: | :black_square_button: |
+| Separate `/var/www` partition | :black_square_button: | :black_square_button: |
+| Separate `/var/tmp` partition | :black_square_button: | :black_square_button: |
+| Separate `/var/audit` partition | :black_square_button: | :black_square_button: |
+| Secure `/boot` directory with `ro`, `nodev`, `nosuid`, `noexec` options | :black_square_button: | :black_square_button: |