3

What is the best solution for mount options/partitioning when having e.g.: an Ubuntu minimal install (11.04) for Desktop use? e.g.: put /tmp on different partition to give it mount options like: nodev,nosuid,noexec - it could increase security. I just want to gather tips, how to do this

noatime could give more performance! so it's a must have for every mount point.

Thank you!

p.s.: also, what size would I give to the partitions? - everyday desktop use PC

AviD
  • 72,138
  • 22
  • 136
  • 218
LanceBaynes
  • 6,149
  • 11
  • 60
  • 91
  • 5
    Hi @Lance - once again, the wording in your question makes it very difficult to answer. Please read the FAQ. Questions asking for a 'best' are generally off-topic, as the answers are likely to be subjective and depend on the particular requirements for that person's install. For a general install, Ubuntu defaults will give the majority of users without specific requirements a reasonable platform. I would say go with defaults, or think through your specific requirements and ask questions on them. – Rory Alsop May 30 '11 at 08:47
  • 2
    I suggest migrating this to the stackexchange site http://askubuntu.com/ – Jeff Ferland Jun 05 '11 at 21:56
  • Yes, this best suited for askubuntu.com – Jamess Jun 09 '11 at 06:16
  • Agree for migrate, the only time security is mentioned is in the title. – this.josh Jun 10 '11 at 01:37

5 Answers5

8

The National Security Agency actually publish operating system configuration recommendations. They specifically publish information for hardening Red Hat 5 but this could be adapted to any Linux distribution.

This setup is simply too detailed to quote in its entirity, but the hardening guide gives you a set of services which you can safely remove setuid permissions from. Note that modern linux distributions use capabilities and you should also understand and be able to review these (Red Hat 5 is somewhat old). Specifically and of interest they recommend separate partitions for /var/log and /var/audit. I assume this is because these partitions are somehow securely mirrored such that one cannot remove information from them once it has been written.

I would be careful with your nosuid and noexec options; you might disable legitimate execution and nosuid may not apply to capabilities. I personally think the utmost best defence for any kind of application-level security is mandatory access control, but this is not fully prevalent and available / compatible with all software yet, since many software authors do not take this into account (the old NT assume I'm an admin problem).

  • 2
    Putting `/var/log` and `/var/log/audit` on their own partitions is to help them better weather another location filling up. In the default partitioning scheme (just `/` and swap) a user could fill up their home directory, stop application and kernel logging, then try whatever they want without any record. – Scott Pack Jun 10 '11 at 11:33
  • 1
    @Scott good point, that too. –  Jun 10 '11 at 12:31
3

The partitioning schema you choose has little impact on security. Don't sweat it (at least, not the security implications). If you're worried about security, there are more effective ways to spend your time.

D.W.
  • 98,420
  • 30
  • 267
  • 572
2

I would start by looking at standards documents for some recommendations, and adjust from there to best fit your environment. For some good starter information and an example partition table read through the "Partitioning Considerations" section of the Red Hat Linux 5 benchmark from the Center for Internet Security. I found their recommended partitioning scheme, with partition size adjustments, to work very well for a desktop environment.

Also, make sure to think long and hard about which options you enable and what their implications might be. For instance, noatime does provide a performance boost, however it can make forensics work more difficult in the future.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
1

I can answer on partitioning.

Keeping separate partitions for system directories like /, /usr, /boot is more of convenience and what you like to separate out. All together really you dont need more than 4-5 GB.

Look at https://askubuntu.com/questions/6490/is-a-boot-partition-necessary-anymore for detailed discussion on need of /boot as a separate filesystem.

Also look here for different partitioning options on Ubuntu/Linux

/tmp and /var makes sense and I would give ~ RAM size for /tmp, /var sizing depends upon your usage and your log rotation policies.

swap I would give twice RAM.

/home I will give everything else.

For increased security in filesystem level, I believe experts in askubuntu can help you better

Community
  • 1
Jamess
  • 111
  • 4
0
/   ext4    defaults,noatime
/boot   ext4    defaults,noatime,nodev,nosuid,noexec
/home   ext4    noatime,nodev,nosuid
/tmp    ext4    noatime,nodev,nosuid,noexec
/usr    ext4    noatime,nodev
/var    ext4    noatime,nodev,nosuid
none    swap    sw
Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
LanceBaynes
  • 6,149
  • 11
  • 60
  • 91