Bootloader and Partitions

You can file an issue about it and ask that it be added.

---

Table of Contents

• Bootloader

  • Protect bootloader with password
  • Protect bootloader config files

• Disk Partitioning

  • Separate disk partitions
  • Restrict mount options

Bootloader

Protection for the bootloader can prevent unauthorized users who have physical access to the system, e.g. attaining root privileges through single user mode.

Basically when you want to prohibit unauthorized reconfiguring of your system, otherwise anybody could load and edit anything on it.

Protect bootloader with password

Rationale

You can set password for the bootloader for prevents users from entering single user mode, changing settings at boot time, access to the bootloader console, reset the root password, access to non-secure operating systems and the ability to disable SELinux.

Solution

Generate password hash

# RedHat like distributions
grub2-mkpasswd-pbkdf2
grub2-setpassword # set it automatically

# Debian like distributions
grub-mkpasswd-pbkdf2

Update grub configuration

cat > /etc/grub.d/01_hash << __EOF__
set superusers="user"
password_pbkdf2 user
grub.pbkdf2.sha512.<hash> # rest of your password hash
__EOF__

Regenerate grub configuration

# RedHat like distributions
grub2-mkconfig > /boot/grub2/grub.cfg

# Debian like distributions
grub-mkconfig > /boot/grub/grub.cfg

^{PCI-DSS: doesn't exist
C2S/CIS: CCE-27309-4 (H)}

My comment

You should think about setting the password for bootloader because it can be problematic for production servers.

Useful resources

• Protecting Grub 2 With a Password ^[Official]
• How To Password Protect GRUB Bootloader In Linux

Protect bootloader config files

Rationale

To prevent local users from modifying the boot parameters and ensure its configuration file's permissions are set properly.

Solution

Set the permissions on the bootloader config files

Bare-metal/VM task, not applicable for containers.

chmod 600 /boot/grub2/grub.cfg
chmod og-rwx /etc/grub.conf
chmod -R og-rwx /etc/grub.d

^{PCI-DSS: Unknown (M)
C2S/CIS: CCE-27054-6 (M)}

Set the owner and group on the bootloader config files

Bare-metal/VM task, not applicable for containers.

Files/directories to read and write for root only to prevent destruction or modification:

chown root:root /etc/grub.conf
chown root:root /boot/grub2/grub.cfg
chown -R root:root /etc/grub.d

^{PCI-DSS: Unknown (M)
C2S/CIS: CCE-26860-7 (M)}

Disk Partitioning

Critical file systems should be separated into different partitions in ways that make your system a better and more secure.

Separate disk partitions

Policies

^{PCI-DSS: doesn't exist
C2S/CIS: CCE-80144-9 (L), Unknown (L), CCE-26404-4 (L), CCE-27173-4 (L), CCE-26971-2 (L), CCE-26967-0 (L)}

Rationale

There are several advantages of having partitions on your hard drive:

• prevents partitions overflow
• isolating data corruption
• logical separation of data
• duration of fsck
• using different file systems

C2S/CIS recommends that should be the following filesystems are mounted on a separate partitions:

• /home
• /var/tmp
• /var
• /tmp
• /var/log/audit
• /var/log

I think you should consider separating the following partitions (depending on the purpose of the server):

• /usr
• /var/www
• /var/lib/pgsql + pg_log

Useful resources

• Recommended partitioning scheme ^[Official]
• Most secure way to partition linux?

Restrict mount options

By default mount options are not focused on security.

Rationale

Solution

PCI-DSS: C2S/CIS:

Set the permissions on the bootloader config files

PCI-DSS: C2S/CIS:

Set the owner and group of bootloader config files

Useful resources