Bootloader and Partitions

You can file an issue about it and ask that it be added.

---

Table of Contents

• Bootloader

  • Protect bootloader with password
  • Protect bootloader config files

• Disk Partitioning

  • Separate disk partitions
  • Restrict mount options

Bootloader

Protection for the bootloader can prevent unauthorized users who have physical access to the system, e.g. attaining root privileges through single user mode.

Basically when you want to prohibit unauthorized reconfiguring of your system, otherwise anybody could load and edit anything on it.

Protect bootloader with password

Rationale

You can set password for the bootloader for prevents users from entering single user mode, changing settings at boot time, access to the bootloader console, reset the root password, access to non-secure operating systems and the ability to disable SELinux.

Solution

Generate password hash

# PCI-DSS: doesn't exist
# C2S/CIS: CCE-27309-4 (High)

grub2-mkpasswd-pbkdf2
grub2-setpassword # or set it automatically

Update grub configuration

# PCI-DSS: doesn't exist
# C2S/CIS: CCE-27309-4 (High)

cat > /etc/grub.d/01_hash << __EOF__
set superusers="user"
password_pbkdf2 user
grub.pbkdf2.sha512.<hash> # rest of your password hash
__EOF__

Regenerate grub configuration

# PCI-DSS: doesn't exist
# C2S/CIS: CCE-27309-4 (High)

grub2-mkconfig > /boot/grub2/grub.cfg

Policies

PCI-DSS: doesn't exist
C2S/CIS: CCE-27309-4 (High)

My comment

You should think about setting the password for bootloader because it can be problematic for the production clusters.

Useful resources

• Protecting Grub 2 With a Password ^[Official]
• How To Password Protect GRUB Bootloader In Linux

Protect bootloader config files

Rationale

To prevent local users from modifying the boot parameters and ensure its configuration file's permissions are set properly.

Solution

Set the permissions on the bootloader config files

# PCI-DSS: Unknown (Medium)
# C2S/CIS: CCE-27054-6 (Medium)

chmod 600 /boot/grub2/grub.cfg
chmod og-rwx /etc/grub.conf
chmod -R og-rwx /etc/grub.d

Set the owner and group on the bootloader config files

# PCI-DSS: Unknown (Medium)
# C2S/CIS: CCE-26860-7 (Medium)

chown root:root /etc/grub.conf
chown root:root /boot/grub2/grub.cfg
chown -R root:root /etc/grub.d

Policies

PCI-DSS: Unknown (Medium); Unknown (Medium)
C2S/CIS: CCE-27054-6 (Medium); CCE-26860-7 (Medium)

My comment

These rules are intended for Bare-metal/VM, not applicable for containers.

Disk Partitioning

Critical file systems should be separated into different partitions in ways that make your system a better and more secure.

Separate disk partitions

Rationale

There are several advantages of having partitions on your hard drive:

• prevents partitions overflow
• isolating data corruption
• logical separation of data
• duration of fsck
• using different file systems

C2S/CIS recommends that should be the following filesystems are mounted on a separate partitions:

• /home
• /var/tmp
• /var
• /tmp
• /var/log/audit
• /var/log

^{PCI-DSS: doesn't exist
C2S/CIS: CCE-80144-9 (L), Unknown (L), CCE-26404-4 (L), CCE-27173-4 (L), CCE-26971-2 (L), CCE-26967-0 (L)}

My comment

I think you should also consider separating the following partitions (of course depending on the purpose of the server):

• /usr
• /var/www
• /var/lib/pgsql + pg_log

Useful resources

• Recommended partitioning scheme ^[Official]
• Most secure way to partition linux?

Restrict mount options

By default mount options are not focused on security.

Rationale

Solution

^{PCI-DSS: doesn't exist
C2S/CIS: CCE-27309-4 (High)}

Set the permissions on the bootloader config files

^{PCI-DSS: doesn't exist
C2S/CIS: CCE-27309-4 (High)}

Set the owner and group of bootloader config files

My comment

Useful resources