added 'Useful resources'; minor updates

- signed-off-by: trimstray <trimstray@gmail.com>
2025-12-06 17:22:51 +01:00 · 2019-02-19 10:11:49 +01:00
parent eb28e42919
commit 7782167627
1 changed files with 55 additions and 0 deletions
--- a/lib/post_install_tasks/disk_partitions.md
+++ b/lib/post_install_tasks/disk_partitions.md
@@ -26,6 +26,11 @@ You should also consider separating these partitions:
 - `/var/tmp`
 - `/var/log/audit`
 ###### Useful resources
 - [Recommended partitioning scheme](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/installation_guide/s2-diskpartrecommend-x86)
 - [Most secure way to partition linux?](https://security.stackexchange.com/questions/38793/most-secure-way-to-partition-linux)
 #### :eight_pointed_black_star: Mount options: nodev, nosuid and noexec
 For more security-focused situations is as follows:
@@ -34,6 +39,11 @@ For more security-focused situations is as follows:
 - `nosuid` - specifies that the filesystem cannot contain set userid files. Preventing setuid binaries on a world-writable filesystem makes sense because there's a risk of root escalation or other awfulness there
 - `noexec` - this param might be useful for a partition that contains no binaries, like **/var**, or contains binaries you do not want to execute on your system (from partitions with `noexec`), or that cannot even be executed on your system
 ###### Useful resources
 - [Linux Security: Mount /tmp With nodev, nosuid, and noexec Options](https://www.cyberciti.biz/faq/linux-add-nodev-nosuid-noexec-options-to-temporary-storage-partitions/)
 - [Security Handbook/Mounting partitions](https://wiki.gentoo.org/wiki/Security_Handbook/Mounting_partitions)
 #### :eight_pointed_black_star: Secure /boot directory
 The boot directory contains important files related to the Linux kernel, so you need to make sure that this directory is locked down to read-only permissions.
@@ -113,6 +123,11 @@ And set `nodev`, `nosuid` and `noexec` mount options in `/etc/fstab`.
  > Alternative for **polyinstantiated directories** is **PrivateTmp** feature available from **systemd**. For more information please see: [New Red Hat Enterprise Linux 7 Security Feature: PrivateTmp](https://access.redhat.com/blogs/766093/posts/1976243).
 ###### Useful resources
 - [Increasing Linux server security with nodev, nosuid and no exec options](https://kb.iweb.com/hc/en-us/articles/230267488--Increasing-Linux-server-security-with-nodev-nosuid-and-no-exec-options)
 - [Why it is important to Securing /dev/shm and /tmp](https://askubuntu.com/questions/389408/why-it-is-important-to-securing-dev-shm-and-tmp)
 #### :eight_pointed_black_star: Secure /dev/shm
 `/dev/shm` is a temporary file storage filesystem, i.e. **tmpfs**, that uses RAM for the backing store. One of the major security issue with the `/dev/shm` is anyone can upload and execute files inside the `/dev/shm` similar to the `/tmp` partition. Further the size should be limited to avoid an attacker filling up this mountpoint to the point where applications could be affected. (normally it allows 20% or more of RAM to be used). The sticky bit should be set like for any world writeable directory.
@@ -129,6 +144,10 @@ tmpfs  /dev/shm  tmpfs  rw,nodev,nosuid,noexec,size=1024M,mode=1777 0 0
 tmpfs  /dev/shm  tmpfs  rw,nodev,nosuid,noexec,size=1024M,mode=1770,uid=root,gid=shm 0 0
 ```
 ###### Useful resources
 - [Securing /dev/shm partition](https://www.gnutoolbox.com/securing-devshm-partition/)
 #### :eight_pointed_black_star: Secure /proc filesystem
 The proc pseudo-filesystem `/proc` should be mounted with `hidepid`. When setting `hidepid` to **2**, directories entries in `/proc` will hidden.
@@ -139,8 +158,43 @@ proc  /proc  proc  defaults,hidepid=2  0 0
  > Some of the services/programs operate incorrectly when the `hidepid` parameter is set, e.g. Nagios checks.
 ###### Useful resources
 - [Linux system hardening: adding hidepid to /proc mount point](https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/)
 #### :eight_pointed_black_star: Swap partition
 Encryption of swap space is used to protect sensitive information. It improves the availability of the system, which is also an important part of information security.
 ```bash
 # Turn off the swap area
 swapoff -a
 # Wipe the swap area
 shred -vfz -n 10 /dev/sda2
 # Update /etc/fstab
 UUID=7e1e715e-7ac4-45ad-b029-18fed80f225f none swap defaults 0 0
 # Add the swap area to /etc/crypttab
 swap /dev/sda2 /dev/urandom swap
 # Activate the mapping
 cryptdisks_start swap
 /etc/init.d/cryptdisks restart
 # Add the encrypted swap area to /etc/fstab
 /dev/mapper/swap none swap defaults 0 0
 # Turn on the swap area
 swapon -a
 ```
 ###### Useful resources
 - [dm-crypt/Swap encryption](https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption)
 - [Encrypted swap partition on Debian/Ubuntu](https://feeding.cloud.geek.nz/posts/encrypted-swap-partition-on/)
 #### :eight_pointed_black_star: Disk quotas
 #### :ballot_box_with_check: Summary checklist
@@ -160,3 +214,4 @@ proc  /proc  proc  defaults,hidepid=2  0 0
 | Setting up polyinstantiated directories for `/tmp` and `/var/tmp` | :black_square_button: | :black_square_button: |
 | Secure `/dev/shm` directory with `nodev`, `nosuid`, `noexec` options | :black_square_button: | :black_square_button: |
 | Secure `/proc` filesystem with `hidepid=2` option | :black_square_button: | :black_square_button: |
 | Secure swap area with cryptsetup | :black_square_button: | :black_square_button: |