0

this is the first of a series of questions on hardening Linux servers at the filesystem level.

At work I'm hardening an Ubuntu 18.04 Server following the CIS benchmark 2.0.1. Instead of just running a hardening script, I'm doing it manually in order to really understand the process. For the sake of the exercise, I am assuming that the system will be a high-activity enterprise server in a hostile/compromised network, so defense in depth is crucial.

The partitioning scheme recommended by CIS (section 1.1 of the above doc) prescribes adding the following partitions and mount options:

/tmp            nodev,nosuid,noexec
/var
/var/tmp        nodev,nosuid,noexec
/var/log
/var/log/audit
/home           nodev
/dev/shm        nodev,nosuid,noexec
[removable]     nodev,nosuid,noexec

Why limit nodev,nosuid,noexec to /var/tmp instead of applying it on /var too? I am aware of the reasons for separate partitions, I'm just curious about the mount options.

Thanks in advance.

Magasta
  • 1
  • 1
  • I'll look at one example case: I'm not sure about the nodev part but the journal directory in my /var/log has the setgid bit set which is logging for systemd (replacing syslog). https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html – DarkMatter Feb 12 '20 at 17:20
  • @DarkMatter: cool, I didn't think of the implications of setgid. Makes sense. Thanks! – Magasta Feb 13 '20 at 11:21

0 Answers0