Rocky Linux 9.5 CIS Benchmark Partitioning Guide#

To align your Rocky Linux 9.5 installation with CIS Benchmark recommendations and fully utilize 400 GiB of storage, follow this partitioning scheme and filesystem recommendations.

📌 Partitioning Plan (CIS Benchmark Aligned)#

Partition	Size	Filesystem	Mount Options	Purpose
`/boot`	1024 MiB	ext4	`nodev, noexec, nosuid`	Bootloader partition
`/home`	100 GiB	xfs	`nodev`	User data storage
`/var`	40 GiB	xfs	`nodev`	App & system logs
`/var/log`	60 GiB	xfs	`nodev`	System logs
`/var/log/audit`	15 GiB	xfs	`nodev`	Security audit logs
`/var/tmp`	20 GiB	xfs	`nodev, noexec, nosuid`	Temporary storage
`/tmp`	20 GiB	xfs	`nodev, noexec, nosuid`	Prevent script execution in /tmp
`/srv`	30 GiB	xfs	`nodev`	Application data
`/opt`	30 GiB	xfs	`nodev`	Third-party software
`/swap`	16 GiB	swap	N/A	Virtual memory swap
`/` (root)	88 GiB	xfs	Default	Main OS partition

Total Used: 400 GiB ✅

🔧 Filesystem Choices#

Filesystem	Reason
XFS (for most partitions)	Best for high-performance and large storage
EXT4 (for /boot)	Needed for compatibility with bootloaders
Swap	Virtual memory

📌 Security-Hardened /etc/fstab Configuration#

1
UUID=<boot-uuid>    /boot         ext4  defaults,nodev,noexec,nosuid  1 2
2
UUID=<home-uuid>    /home         xfs   defaults,nodev                0 2
3
UUID=<var-uuid>     /var          xfs   defaults,nodev                0 2
4
UUID=<log-uuid>     /var/log      xfs   defaults,nodev                0 2
5
UUID=<audit-uuid>   /var/log/audit xfs  defaults,nodev                0 2
6
UUID=<tmp-uuid>     /tmp          xfs   defaults,nodev,noexec,nosuid  0 2
7
UUID=<vtmp-uuid>    /var/tmp      xfs   defaults,nodev,noexec,nosuid  0 2
8
UUID=<srv-uuid>     /srv          xfs   defaults,nodev                0 2
9
UUID=<opt-uuid>     /opt          xfs   defaults,nodev                0 2
10
UUID=<root-uuid>    /             xfs   defaults                      0 1
11
UUID=<swap-uuid>    swap          swap  defaults                      0 0

📝 Note: Replace <UUID> with actual disk UUIDs using blkid command

🛠 Steps to Configure During Installation#

1. Manual Partitioning#

Choose “Custom Partitioning” in Rocky Linux installer
Create partitions according to the table above

2. Format the Partitions#

Set /boot as ext4
Set all other partitions as XFS
Set swap as swap

3. Assign Mount Points#

Configure mount points as per the partitioning table
Ensure proper hierarchy (e.g., /var before /var/log)

4. Apply Mount Options#

Click on “Modify Mount Options”
Set nodev, noexec, nosuid as needed per the table
Confirm settings before proceeding

5. Verify Configuration#

Confirm total usage is ~400 GiB
Review all mount points and options
Proceed with installation

🔒 CIS Benchmark Security Benefits#

Mount Option Security#

Mount Option	Security Benefit
`nodev`	Prevents device files from being interpreted as devices
`noexec`	Prevents execution of binaries from the filesystem
`nosuid`	Prevents set-user-ID and set-group-ID bits from taking effect

Partition Separation Benefits#

Containment: Limits the impact of disk space exhaustion
Security: Prevents privilege escalation through filesystem attacks
Performance: Optimizes I/O patterns for different data types
Compliance: Meets CIS Benchmark requirements

🔍 Additional Hardening Steps#

Post-Installation Configuration#

1
# Enable automatic fsck (Filesystem Check) on boot
2
tune2fs -c 30 /dev/sda1  # for /boot (ext4)
3

4
# Verify SELinux is enforcing
5
getenforce  # Should return "Enforcing"
6

7
# Set correct permissions for temporary directories
8
chmod 1777 /tmp /var/tmp
9

10
# Verify mount options
11
mount | grep -E "(tmp|var|home|opt|srv)"

SELinux Configuration#

1
# Ensure SELinux is in enforcing mode
2
sestatus
3

4
# If needed, set to enforcing
5
setenforce 1
6
echo "SELINUX=enforcing" > /etc/selinux/config

Audit Configuration#

1
# Verify auditd is enabled and running
2
systemctl status auditd
3
systemctl enable auditd
4

5
# Check audit log location
6
ls -la /var/log/audit/

🔧 Maintenance and Monitoring#

Disk Space Monitoring#

1
# Monitor partition usage
2
df -h
3

4
# Check for large files
5
du -sh /var/log/* | sort -rh | head -10
6

7
# Set up disk usage alerts
8
echo "*/15 * * * * root df -h | awk '\$5 > 85 {print \$0}' | mail -s 'Disk Usage Alert' admin@domain.com" >> /etc/crontab

Log Rotation Configuration#

1
# Configure logrotate for audit logs
2
cat > /etc/logrotate.d/audit << EOF
3
/var/log/audit/*.log {
4
    weekly
5
    rotate 52
6
    compress
7
    delaycompress
8
    missingok
9
    notifempty
10
    create 0640 root root
11
    postrotate
12
        /sbin/service auditd restart 2> /dev/null || true
13
    endscript
14
}
15
EOF

📊 Partition Usage Monitoring#

Create Monitoring Script#

1
#!/bin/bash
2
THRESHOLD=85
3
EMAIL="admin@domain.com"
4

5
df -h | awk -v threshold=$THRESHOLD '
6
NR>1 {
7
    usage = substr($5, 1, length($5)-1)
8
    if (usage > threshold) {
9
        print "WARNING: " $6 " is " $5 " full"
10
    }
11
}' | while read line; do
12
    if [ ! -z "$line" ]; then
13
        echo "$line" | mail -s "Disk Space Alert - $(hostname)" $EMAIL
14
    fi
15
done

🚀 Performance Optimization#

XFS Optimizations#

1
# Mount options for better performance (add to /etc/fstab)
2
# For databases or high I/O applications:
3
# UUID=<uuid> /var/lib/mysql xfs defaults,noatime,nodiratime 0 2
4

5
# For general performance:
6
# UUID=<uuid> /home xfs defaults,noatime 0 2

I/O Scheduler Optimization#

1
# Set I/O scheduler for better performance
2
echo mq-deadline > /sys/block/sda/queue/scheduler
3

4
# Make permanent
5
echo 'ACTION=="add|change", KERNEL=="sd*", ATTR{queue/scheduler}="mq-deadline"' > /etc/udev/rules.d/60-ioschedulers.rules

🔥 Final Validation Checklist#

✅ Partitioning: All partitions created according to CIS recommendations
✅ Mount Options: Security options applied correctly (nodev, noexec, nosuid)
✅ Filesystem Types: XFS for data, ext4 for boot, swap configured
✅ SELinux: Enforcing mode enabled
✅ Audit: Audit daemon enabled and logging to dedicated partition
✅ Permissions: Correct permissions on temporary directories (1777)
✅ Monitoring: Disk usage monitoring scripts in place
✅ Log Rotation: Configured to prevent log partition overflow

🎯 Benefits of This Configuration#

Security Compliance: Meets CIS Benchmark Level 1 requirements
Scalability: Optimized for both production and development workloads
Reliability: Separate partitions prevent system-wide failures
Performance: XFS provides excellent performance for large files
Monitoring: Built-in disk usage monitoring and alerting
Maintenance: Simplified backup and maintenance procedures

This layout provides a robust foundation for a secure Rocky Linux 9.5 server that follows industry best practices and security standards.