this is the second of a series of questions on hardening Linux servers at the filesystem level. The first is here. The same scenario applies; I copy it here for convenience:
At work I'm hardening an Ubuntu 18.04 Server installation following the CIS benchmark 2.0.1. Instead of just running a hardening script, I'm doing it manually in order to really understand what is happening. For the sake of the exercise, I am assuming that the system will be a high-activity enterprise server in a hostile/compromised network, so defense in depth is crucial.
The partitioning scheme recommended by CIS (Section 1.1) prescribes adding the following partitions and mount options:
/tmp nodev,nosuid,noexec
/var
/var/tmp nodev,nosuid,noexec
/var/log
/var/log/audit
/home nodev
/dev/shm nodev,nosuid,noexec
[removable] nodev,nosuid,noexec
The CIS benchmark does not mention whether the partitions must be physical or they can be e.g. LVM logical volumes. Can I apply the advice about partition setup to the latter? Does LVM introduce any new security pitfalls requiring additional hardening? My research hasn't given me any definite answers.
Thanks all.
