Mastodon

CIS Benchmark - Linux Filesystem Partitions

There are several directories which exist on the root or boot partition for a Linux server and the default configuration is to not split up some several key directories such as /tmp /var and /home to name a few into their own partition. Setting up these directories into their own partition allow system admins to establish some fine grained control over what is allowed on these filesystems and to prevent resource exhaustion.

For example, this is in regards to CIS Benchmark 1.1.3.1 Ensure separate partition exists for /var

Prerequisites

  • Enough space allocated to boot volume

Move directory onto separate partition

The examples below will be related to RHEL/OL8 and may differ between distributions.

  1. If this is a brand new system, you will want to provision it with enough boot volume space with these extra partitions in mind. If this is an existing system, you will need to increase the disk space, reboot and extend it.
  2. It is a good idea to take a backup in case anything goes wrong
  3. You can use fdisk utility to create the extra partitions
  4. You'll then create a new filesystem which gives the filesystem a label and points it to a particular mount point
mkfs -t xfs -L var /dev/oracleoci/oraclevdb1
  1. Then you will create a temporary directory which we will move all the data to

mkdir var1

  1. Then we will mount the newly created filesystem to the temproary directory

mount /dev/oracleoci/oraclevdb1 /var1

  1. Navigate into the source directory and move all the data from the source directory into the new temporary
cd /var
mv * /var1
  1. Unmount the temporary directory from the mount point and remount the partition to the existing directory
umount /var1
cd ..
mount /dev/oracleoci/oraclevdb1 /var
  1. Modify /etc/fstab to include the new mount and filesystem so it persists on reboots
/dev/oracleoci/oraclevda4 /var xfs rw,seclabel,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota,nodev,noexec,nosuid 0 0
  1. This is also a good time to apply mount point options such as noexec/nosuid/nodev to the mount option settings. These options limit an attackers ability to create exploits on the system. See man mount for exact details regarding filesystem specific options.
  2. Execute restorecon on the new mount to set SELinux
restorecon -vvFR /var
  1. Reboot the system and make sure the new mount is displayed when viewing the partitions with lsblk or df -h

Subscribe to Breadandwater

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe