738 words
4 minutes
Rocky Linux 9.5 CIS Benchmark Partitioning Guide for 400GB Storage
Anubhav Gain
2025-03-01
Rocky Linux 9.5 CIS Benchmark Partitioning Guide
To align your Rocky Linux 9.5 installation with CIS Benchmark recommendations and fully utilize 400 GiB of storage, follow this partitioning scheme and filesystem recommendations.
π Partitioning Plan (CIS Benchmark Aligned)
Partition | Size | Filesystem | Mount Options | Purpose |
---|---|---|---|---|
/boot | 1024 MiB | ext4 | nodev, noexec, nosuid | Bootloader partition |
/home | 100 GiB | xfs | nodev | User data storage |
/var | 40 GiB | xfs | nodev | App & system logs |
/var/log | 60 GiB | xfs | nodev | System logs |
/var/log/audit | 15 GiB | xfs | nodev | Security audit logs |
/var/tmp | 20 GiB | xfs | nodev, noexec, nosuid | Temporary storage |
/tmp | 20 GiB | xfs | nodev, noexec, nosuid | Prevent script execution in /tmp |
/srv | 30 GiB | xfs | nodev | Application data |
/opt | 30 GiB | xfs | nodev | Third-party software |
/swap | 16 GiB | swap | N/A | Virtual memory swap |
/ (root) | 88 GiB | xfs | Default | Main OS partition |
Total Used: 400 GiB β
π§ Filesystem Choices
Filesystem | Reason |
---|---|
XFS (for most partitions) | Best for high-performance and large storage |
EXT4 (for /boot) | Needed for compatibility with bootloaders |
Swap | Virtual memory |
π Security-Hardened /etc/fstab Configuration
UUID=<boot-uuid> /boot ext4 defaults,nodev,noexec,nosuid 1 2UUID=<home-uuid> /home xfs defaults,nodev 0 2UUID=<var-uuid> /var xfs defaults,nodev 0 2UUID=<log-uuid> /var/log xfs defaults,nodev 0 2UUID=<audit-uuid> /var/log/audit xfs defaults,nodev 0 2UUID=<tmp-uuid> /tmp xfs defaults,nodev,noexec,nosuid 0 2UUID=<vtmp-uuid> /var/tmp xfs defaults,nodev,noexec,nosuid 0 2UUID=<srv-uuid> /srv xfs defaults,nodev 0 2UUID=<opt-uuid> /opt xfs defaults,nodev 0 2UUID=<root-uuid> / xfs defaults 0 1UUID=<swap-uuid> swap swap defaults 0 0
π Note: Replace
<UUID>
with actual disk UUIDs usingblkid
command
π Steps to Configure During Installation
1. Manual Partitioning
- Choose βCustom Partitioningβ in Rocky Linux installer
- Create partitions according to the table above
2. Format the Partitions
- Set
/boot
as ext4 - Set all other partitions as XFS
- Set swap as swap
3. Assign Mount Points
- Configure mount points as per the partitioning table
- Ensure proper hierarchy (e.g.,
/var
before/var/log
)
4. Apply Mount Options
- Click on βModify Mount Optionsβ
- Set
nodev
,noexec
,nosuid
as needed per the table - Confirm settings before proceeding
5. Verify Configuration
- Confirm total usage is ~400 GiB
- Review all mount points and options
- Proceed with installation
π CIS Benchmark Security Benefits
Mount Option Security
Mount Option | Security Benefit |
---|---|
nodev | Prevents device files from being interpreted as devices |
noexec | Prevents execution of binaries from the filesystem |
nosuid | Prevents set-user-ID and set-group-ID bits from taking effect |
Partition Separation Benefits
- Containment: Limits the impact of disk space exhaustion
- Security: Prevents privilege escalation through filesystem attacks
- Performance: Optimizes I/O patterns for different data types
- Compliance: Meets CIS Benchmark requirements
π Additional Hardening Steps
Post-Installation Configuration
# Enable automatic fsck (Filesystem Check) on boottune2fs -c 30 /dev/sda1 # for /boot (ext4)
# Verify SELinux is enforcinggetenforce # Should return "Enforcing"
# Set correct permissions for temporary directorieschmod 1777 /tmp /var/tmp
# Verify mount optionsmount | grep -E "(tmp|var|home|opt|srv)"
SELinux Configuration
# Ensure SELinux is in enforcing modesestatus
# If needed, set to enforcingsetenforce 1echo "SELINUX=enforcing" > /etc/selinux/config
Audit Configuration
# Verify auditd is enabled and runningsystemctl status auditdsystemctl enable auditd
# Check audit log locationls -la /var/log/audit/
π§ Maintenance and Monitoring
Disk Space Monitoring
# Monitor partition usagedf -h
# Check for large filesdu -sh /var/log/* | sort -rh | head -10
# Set up disk usage alertsecho "*/15 * * * * root df -h | awk '\$5 > 85 {print \$0}' | mail -s 'Disk Usage Alert' admin@domain.com" >> /etc/crontab
Log Rotation Configuration
# Configure logrotate for audit logscat > /etc/logrotate.d/audit << EOF/var/log/audit/*.log { weekly rotate 52 compress delaycompress missingok notifempty create 0640 root root postrotate /sbin/service auditd restart 2> /dev/null || true endscript}EOF
π Partition Usage Monitoring
Create Monitoring Script
#!/bin/bashTHRESHOLD=85EMAIL="admin@domain.com"
df -h | awk -v threshold=$THRESHOLD 'NR>1 { usage = substr($5, 1, length($5)-1) if (usage > threshold) { print "WARNING: " $6 " is " $5 " full" }}' | while read line; do if [ ! -z "$line" ]; then echo "$line" | mail -s "Disk Space Alert - $(hostname)" $EMAIL fidone
π Performance Optimization
XFS Optimizations
# Mount options for better performance (add to /etc/fstab)# For databases or high I/O applications:# UUID=<uuid> /var/lib/mysql xfs defaults,noatime,nodiratime 0 2
# For general performance:# UUID=<uuid> /home xfs defaults,noatime 0 2
I/O Scheduler Optimization
# Set I/O scheduler for better performanceecho mq-deadline > /sys/block/sda/queue/scheduler
# Make permanentecho 'ACTION=="add|change", KERNEL=="sd*", ATTR{queue/scheduler}="mq-deadline"' > /etc/udev/rules.d/60-ioschedulers.rules
π₯ Final Validation Checklist
- β Partitioning: All partitions created according to CIS recommendations
- β
Mount Options: Security options applied correctly (
nodev
,noexec
,nosuid
) - β Filesystem Types: XFS for data, ext4 for boot, swap configured
- β SELinux: Enforcing mode enabled
- β Audit: Audit daemon enabled and logging to dedicated partition
- β Permissions: Correct permissions on temporary directories (1777)
- β Monitoring: Disk usage monitoring scripts in place
- β Log Rotation: Configured to prevent log partition overflow
π― Benefits of This Configuration
- Security Compliance: Meets CIS Benchmark Level 1 requirements
- Scalability: Optimized for both production and development workloads
- Reliability: Separate partitions prevent system-wide failures
- Performance: XFS provides excellent performance for large files
- Monitoring: Built-in disk usage monitoring and alerting
- Maintenance: Simplified backup and maintenance procedures
This layout provides a robust foundation for a secure Rocky Linux 9.5 server that follows industry best practices and security standards.
Rocky Linux 9.5 CIS Benchmark Partitioning Guide for 400GB Storage
https://mranv.pages.dev/posts/rocky-linux-cis-benchmark-partitioning/