Here’s the following recommendation for filesystem and directories configuration. It will be easier to do it during the initial OS installation but if need to repartition the existing system, it is recommended that full backup is performed.
1.Disable unneeded filesystems using rmmod command
rmmod <filesystem>
a. freevxfs (free version of Veritas type filesystem)
b. cramfs
c. jffs2 (journaling flash filesystem)
d. hfs (hierarchical filesystem)
e. hfsplus
f. udf (universal disk format) filesystem
g. FAT (File Allocation Table) filesystem (Take note: it used by UEFI system for the EFI boot partition, so disabling the vfat module can prevent UEFI systems to boot)
2. Directory /tmp is configured with appropriate set option. Mount tmpfs to /tmp.
Note: /tmp is directory with world-writable access used as temporary user and application storage. Recommended option sets are:
-noexec (cannot install executable code)
-nodev (cannot contain special devices)
-nosuid (cannot contain setuid files)
a. Configure /etc/fstab:
tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0
b. Create tmp.mount file and save it under /etc/systemd/system folder
cp -v /usr/share/systemd/tmp.mount /etc/systemd/system/
Under /etc/systemd/system/tmp.mount, configure /tmp mount
[Mount]
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev,noexec
c. Reload systemd
systemctl daemon-reload
d. Enable and start tmp.mount
systemctl –now enable tmp.mount
3. Directory /dev/shm is configured with appropriate option set. Mount tmpfs at /dev/shm
Note: /dev/shm is traditional shared memory concept. It is an efficient means of passing data between programs.
Recommended option sets are:
-noexec (cannot install executable code)
-nodev (cannot contain special devices)
-nosuid (cannot contain setuid files)
Under /etc/fstab:
tmpfs /dev/shm tmpfs defaults,noexec,nodev,nosuid,seclabel 0 0
Remount /dev/shm
mount -o remount,noexec,nodev,nosuid /dev/shm
4. Directory /var and sub-folders should be in separate partition
/var = is directory used to temporarily store dynamic data for system services
New installation: create custom partition /var
Already installed: create new partition and configure /etc/fstab
<device> on /var type ext4 (rw,relatime,data=ordered)
Recommended option sets are:
-noexec (cannot install executable code)
-nodev (cannot contain special devices)
-nosuid (cannot contain setuid files)
a. /var/tmp
– is directory used for temporary user and application storage
<device> on /var/tmp type ext4 (rw,nosuid,nodev,noexec,relatime)
Remount:
mount -o remount,nosuid,nodev,noexec /var/tmp
b. /var/log
-is directory used to store log data for services
<device> on /var/log type ext4 (rw,nosuid,nodev,noexec,relatime)
mount -o remount,nosuid,nodev,noexec /var/log
c. /var/log/audit
-is directory used to store log data for auditd daemon
<device> on /var/log/audit type ext4 (rw,relatime,data=ordered)
5. Directory /home should be on separate partition with appropriate option sets.
Recommended option sets are:
-noexec (cannot install executable code)
-nodev (cannot contain special devices)
-nosuid (cannot contain setuid files)
on /home type ext4 (rw,nodev,relatime,data=ordered)
Remount:
mount -o remount,nodev /home
6. Automounting should be removed or disabled
autofs allowws mounting of devices (USB,DVD/CD) automatically
apt purge autofs
7. USB storage should be disabled
Verify if it installed:
modprobe -n -v usb-storage
Unload the module usb-storage
rmmod usb-storage