-
-
Notifications
You must be signed in to change notification settings - Fork 634
Bootloader and Partitions
You can file an issue about it and ask that it be added.
Protection for the bootloader can prevent unauthorized users who have physical access to the system, e.g. attaining root privileges through single user mode.
Basically when you want to prohibit unauthorized reconfiguring of your system, otherwise anybody could load and edit anything on it.
You can set password for the bootloader for prevents users from entering single user mode, changing settings at boot time, access to the bootloader console, reset the root password, access to non-secure operating systems and the ability to disable SELinux.
# PCI-DSS: doesn't exist
# C2S/CIS: CCE-27309-4 (High)
grub2-mkpasswd-pbkdf2
grub2-setpassword # or set it automatically# PCI-DSS: doesn't exist
# C2S/CIS: CCE-27309-4 (High)
cat > /etc/grub.d/01_hash << __EOF__
set superusers="user"
password_pbkdf2 user
grub.pbkdf2.sha512.<hash> # rest of your password hash
__EOF__# PCI-DSS: doesn't exist
# C2S/CIS: CCE-27309-4 (High)
grub2-mkconfig > /boot/grub2/grub.cfgPCI-DSS: doesn't exist
C2S/CIS: CCE-27309-4 (High)
You should think about setting the password for bootloader because it can be problematic for the production clusters.
To prevent local users from modifying the boot parameters and ensure its configuration file's permissions are set properly.
# PCI-DSS: Unknown (Medium)
# C2S/CIS: CCE-27054-6 (Medium)
chmod 600 /boot/grub2/grub.cfg
chmod og-rwx /etc/grub.conf
chmod -R og-rwx /etc/grub.d# PCI-DSS: Unknown (Medium)
# C2S/CIS: CCE-26860-7 (Medium)
chown root:root /boot/grub2/grub.cfg
chown root:root /etc/grub.
chown -R root:root /etc/grub.dPCI-DSS: Unknown (Medium); Unknown (Medium)
C2S/CIS: CCE-27054-6 (Medium); CCE-26860-7 (Medium)
These rules are intended for Bare-metal/VM, not applicable for containers.
Critical file systems should be separated into different partitions in ways that make your system a better and more secure.
There are several advantages of having partitions on your hard drive:
- prevents partitions overflow
- isolating data corruption
- logical separation of data
- duration of
fsck - using different file systems
C2S/CIS recommends that should be the following filesystems are mounted on a separate partitions:
/home/var/tmp/var/tmp/var/log/audit/var/log
PCI-DSS: doesn't exist
C2S/CIS: CCE-80144-9 (Low); Unknown (Low); CCE-26404-4 (Low); CCE-27173-4 (Low); CCE-26971-2 (Low); CCE-26967-0 (Low)
I think you should also consider separating the following partitions (of course depending on the purpose of the server):
/usr/var/www-
/var/lib/pgsql+pg_log
By default mount options are not focused on security. These options can be used to make certain types of malicious behavior more difficult.
# PCI-DSS: doesn't exist
# C2S/CIS: CCE-27309-4 (High)
# PCI-DSS: doesn't exist
# C2S/CIS: CCE-27309-4 (High)
# PCI-DSS: doesn't exist
# C2S/CIS: CCE-27309-4 (High)
# PCI-DSS: doesn't exist
# C2S/CIS: CCE-27309-4 (High)
PCI-DSS: CCE-27309-4 (High)
C2S/CIS: CCE-27309-4 (High)
The Practical Linux Hardening Guide provides a high-level overview of the hardening GNU/Linux systems. It is not an official standard or handbook but it touches and use industry standards.