738 words
4 minutes
Rocky Linux 9.5 CIS Benchmark Partitioning Guide for 400GB Storage

Rocky Linux 9.5 CIS Benchmark Partitioning Guide#

To align your Rocky Linux 9.5 installation with CIS Benchmark recommendations and fully utilize 400 GiB of storage, follow this partitioning scheme and filesystem recommendations.

πŸ“Œ Partitioning Plan (CIS Benchmark Aligned)#

PartitionSizeFilesystemMount OptionsPurpose
/boot1024 MiBext4nodev, noexec, nosuidBootloader partition
/home100 GiBxfsnodevUser data storage
/var40 GiBxfsnodevApp & system logs
/var/log60 GiBxfsnodevSystem logs
/var/log/audit15 GiBxfsnodevSecurity audit logs
/var/tmp20 GiBxfsnodev, noexec, nosuidTemporary storage
/tmp20 GiBxfsnodev, noexec, nosuidPrevent script execution in /tmp
/srv30 GiBxfsnodevApplication data
/opt30 GiBxfsnodevThird-party software
/swap16 GiBswapN/AVirtual memory swap
/ (root)88 GiBxfsDefaultMain OS partition

Total Used: 400 GiB βœ…

πŸ”§ Filesystem Choices#

FilesystemReason
XFS (for most partitions)Best for high-performance and large storage
EXT4 (for /boot)Needed for compatibility with bootloaders
SwapVirtual memory

πŸ“Œ Security-Hardened /etc/fstab Configuration#

UUID=<boot-uuid> /boot ext4 defaults,nodev,noexec,nosuid 1 2
UUID=<home-uuid> /home xfs defaults,nodev 0 2
UUID=<var-uuid> /var xfs defaults,nodev 0 2
UUID=<log-uuid> /var/log xfs defaults,nodev 0 2
UUID=<audit-uuid> /var/log/audit xfs defaults,nodev 0 2
UUID=<tmp-uuid> /tmp xfs defaults,nodev,noexec,nosuid 0 2
UUID=<vtmp-uuid> /var/tmp xfs defaults,nodev,noexec,nosuid 0 2
UUID=<srv-uuid> /srv xfs defaults,nodev 0 2
UUID=<opt-uuid> /opt xfs defaults,nodev 0 2
UUID=<root-uuid> / xfs defaults 0 1
UUID=<swap-uuid> swap swap defaults 0 0

πŸ“ Note: Replace <UUID> with actual disk UUIDs using blkid command

πŸ›  Steps to Configure During Installation#

1. Manual Partitioning#

  • Choose β€œCustom Partitioning” in Rocky Linux installer
  • Create partitions according to the table above

2. Format the Partitions#

  • Set /boot as ext4
  • Set all other partitions as XFS
  • Set swap as swap

3. Assign Mount Points#

  • Configure mount points as per the partitioning table
  • Ensure proper hierarchy (e.g., /var before /var/log)

4. Apply Mount Options#

  • Click on β€œModify Mount Options”
  • Set nodev, noexec, nosuid as needed per the table
  • Confirm settings before proceeding

5. Verify Configuration#

  • Confirm total usage is ~400 GiB
  • Review all mount points and options
  • Proceed with installation

πŸ”’ CIS Benchmark Security Benefits#

Mount Option Security#

Mount OptionSecurity Benefit
nodevPrevents device files from being interpreted as devices
noexecPrevents execution of binaries from the filesystem
nosuidPrevents set-user-ID and set-group-ID bits from taking effect

Partition Separation Benefits#

  1. Containment: Limits the impact of disk space exhaustion
  2. Security: Prevents privilege escalation through filesystem attacks
  3. Performance: Optimizes I/O patterns for different data types
  4. Compliance: Meets CIS Benchmark requirements

πŸ” Additional Hardening Steps#

Post-Installation Configuration#

Terminal window
# Enable automatic fsck (Filesystem Check) on boot
tune2fs -c 30 /dev/sda1 # for /boot (ext4)
# Verify SELinux is enforcing
getenforce # Should return "Enforcing"
# Set correct permissions for temporary directories
chmod 1777 /tmp /var/tmp
# Verify mount options
mount | grep -E "(tmp|var|home|opt|srv)"

SELinux Configuration#

Terminal window
# Ensure SELinux is in enforcing mode
sestatus
# If needed, set to enforcing
setenforce 1
echo "SELINUX=enforcing" > /etc/selinux/config

Audit Configuration#

Terminal window
# Verify auditd is enabled and running
systemctl status auditd
systemctl enable auditd
# Check audit log location
ls -la /var/log/audit/

πŸ”§ Maintenance and Monitoring#

Disk Space Monitoring#

Terminal window
# Monitor partition usage
df -h
# Check for large files
du -sh /var/log/* | sort -rh | head -10
# Set up disk usage alerts
echo "*/15 * * * * root df -h | awk '\$5 > 85 {print \$0}' | mail -s 'Disk Usage Alert' admin@domain.com" >> /etc/crontab

Log Rotation Configuration#

Terminal window
# Configure logrotate for audit logs
cat > /etc/logrotate.d/audit << EOF
/var/log/audit/*.log {
weekly
rotate 52
compress
delaycompress
missingok
notifempty
create 0640 root root
postrotate
/sbin/service auditd restart 2> /dev/null || true
endscript
}
EOF

πŸ“Š Partition Usage Monitoring#

Create Monitoring Script#

/usr/local/bin/disk-monitor.sh
#!/bin/bash
THRESHOLD=85
EMAIL="admin@domain.com"
df -h | awk -v threshold=$THRESHOLD '
NR>1 {
usage = substr($5, 1, length($5)-1)
if (usage > threshold) {
print "WARNING: " $6 " is " $5 " full"
}
}' | while read line; do
if [ ! -z "$line" ]; then
echo "$line" | mail -s "Disk Space Alert - $(hostname)" $EMAIL
fi
done

πŸš€ Performance Optimization#

XFS Optimizations#

Terminal window
# Mount options for better performance (add to /etc/fstab)
# For databases or high I/O applications:
# UUID=<uuid> /var/lib/mysql xfs defaults,noatime,nodiratime 0 2
# For general performance:
# UUID=<uuid> /home xfs defaults,noatime 0 2

I/O Scheduler Optimization#

Terminal window
# Set I/O scheduler for better performance
echo mq-deadline > /sys/block/sda/queue/scheduler
# Make permanent
echo 'ACTION=="add|change", KERNEL=="sd*", ATTR{queue/scheduler}="mq-deadline"' > /etc/udev/rules.d/60-ioschedulers.rules

πŸ”₯ Final Validation Checklist#

  • βœ… Partitioning: All partitions created according to CIS recommendations
  • βœ… Mount Options: Security options applied correctly (nodev, noexec, nosuid)
  • βœ… Filesystem Types: XFS for data, ext4 for boot, swap configured
  • βœ… SELinux: Enforcing mode enabled
  • βœ… Audit: Audit daemon enabled and logging to dedicated partition
  • βœ… Permissions: Correct permissions on temporary directories (1777)
  • βœ… Monitoring: Disk usage monitoring scripts in place
  • βœ… Log Rotation: Configured to prevent log partition overflow

🎯 Benefits of This Configuration#

  1. Security Compliance: Meets CIS Benchmark Level 1 requirements
  2. Scalability: Optimized for both production and development workloads
  3. Reliability: Separate partitions prevent system-wide failures
  4. Performance: XFS provides excellent performance for large files
  5. Monitoring: Built-in disk usage monitoring and alerting
  6. Maintenance: Simplified backup and maintenance procedures

This layout provides a robust foundation for a secure Rocky Linux 9.5 server that follows industry best practices and security standards.

Rocky Linux 9.5 CIS Benchmark Partitioning Guide for 400GB Storage
https://mranv.pages.dev/posts/rocky-linux-cis-benchmark-partitioning/
Author
Anubhav Gain
Published at
2025-03-01
License
CC BY-NC-SA 4.0