Set up and install partitions on linux (debian)

# /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # # / was on /dev/sda7 during installation UUID=26rad1b26-8971-473e-8954-82d7c3fbd3a7 / ext4 nodev, noexec, nosuid, readonly, errors=remount-ro 0 1 # /boot was on /dev/sdb1 during installation UUID=065crf81a-34a2-4eed-b260-0926e2443da1 /boot ext4 nodev, noexec, nosuid, read only 0 2 # /home was on /dev/md0 during installation UUID=1a3e87efc-32e4-44c9-947e-ac4f6fa2020a /home ext4 nodev, noexec, nosuid 0 2 # /tmp was on /dev/sda11 during installation UUID=e94563d6c-d97a-4195-a70c-df5c0fc1b767 /tmp ext4 nodev, noexec, nosuid, 0 2 # /usr was on /dev/sda10 during installation UUID=c5b12f75-c352-4fa3-84f1-783363957804 /usr ext4 nodev, nosuid 0 2 # /var was on /dev/sda9 during installation UUID=0892as123-b0ab-4av98-9c13-852d9878ae0e /var ext4 nodev, noexec, nosuid 0 2 # swap was on /dev/sda8 during installation UUID=58acc098e-bb1f8-4fb0-a7be-1acbf9eab794 none swap sw 0 0 /dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0

Critical partition "/", set option nodev, option noexec, option nosuid, option readonly, separate partion only comment: Ideally, you must mount the root "/" totally by restricting, then have directories such as / boot / separate. This also forces you to configure the directories correctly, because any "dangerous" directory (for example / dev /) will be "broken" (that is, nodev will break / dev). This is only recommended if you go all the way and have time to administer.

critical partition "/ boot" option nodev, option noexec, option nosuid, option read only, separate partion only comment: Critical directory containing kernel images, if an attacker replaces your kernel or removes it, you experience many problems.

critical partition "/ etc" put the option nodev, option noexec, option nosuid, no option read only, partion separated tricky because it is a critical directory containing information about the configuration of the system, usually the first target of an attacker . There should be no binary file here. Read-only editing will not allow you to change passwords or other important settings, which is not recommended.

critical partition "/ home" put option nodev, option noexec, option nosuid ,, no option readonly, separate partion only comment: "/ home /" is the main domain of users who keep their files and work with them (in assuming they can connect). If you provide services like IMAP, that's where their mail folders will be. You should make it a separate partition because users tend to quickly take up space. This will also prevent them from creating hard links to files, and then using setuid programs that empty the kernel, for example, and erase system files. Mounting noexec is probably a good idea, but depending on the type of work users do, it can seriously hinder them. Mounting nosuid is a good idea and should not really affect users.

critical partition "/ lib", set option nodev, no option noexec, option nosuid, option readonly, separate partion only comment: Most programs will rely on libraries in this directory. If they are damaged or compromised, you will have trouble cleaning. There are executable files here (.so, etc.), so do not specify it, it would not be wise to specify it.

critical directory "/ mnt", set option nodev, option noexec, option nosuid Yes, option readonly, separate partion this is not necessary, comment "/ mnt /" is usually used to mount removable devices, such as / mnt, / floppy, /, or / mnt / cdrom, / mnt / cdrom0. As such, it rarely contains anything but a few directories. Separating it is not a real problem because all content mounted too.

Critical partition "/ opt", put the option nodev, comment: this directory is used for optional packages, vendor software, etc., often, this stuff requires setuid bits to work properly (a good reason to to separate it because many suppliers have a terrible software security).

"/ proc" directory, / proc / is a virtual file system.

partition "/ root" put nodev option, separate partion is good idea: The private playground of root is generally used by many people instead of "/ usr / local /" to test things / etc.

partition "/ sbin" put option nodev, option readonly, separate partion only comment: Directory containing other important binaries of the system, do not mount noexec or nosuid, otherwise you break your system. Read-only editing will prevent Trojans and make the software update much more difficult.

partition "/ tmp" put the option nodev, option noexec, option nosuid, not option readonly, partion separated only comment: this is the temporary directory that is used by all users, a sandbox, and the system, mount read-only will break things, separate it, because many exploits that consist of creating hard links in tmp to files, then to make sure that a program behaves badly and destroy / modify the target file to malicious purposes. Binaries, especially setuid binaries, should not be allowed in "/ tmp /, because any user can edit them.

critical partition "/ usr", option nodev, option nosuid Yes, option readonly, separate partion only comment: This directory is where the majority of the software will be installed, as well as the source code and other elements. Mounting it separately is a good idea because it usually contains relatively large software in "/ usr", "/ bin", "/ usr" "/ sbin". Read-only editing will prevent an attacker from inserting a Trojan, but will make upgrades much more difficult. I would not bother to mount read-only unless you also set "/ bin" and "/ sbin" read-only.

partition "/ bin" put nodev option, separate partition only comment: Directory containing important system binaries, do not mount noexec or nosuid, your system will not work properly. Read-only editing will prevent Trojans and make the software update much more difficult.

partition "/ dev", put option noexec, option nosuid, no option readonly, separate partion only comment: Mount / dev / with the option nodev will severely damage your system, as will mount it read-only. / dev / is usually less than a few MB, and the ability to write to device files can cause huge damage and compromise the system.

"/ var" put nodev option, noexec option, nosuid option, no readonly option, separate partion only comment: / var is used for many things, including system logging. This partition must be separate because attackers can attempt to fill it by flooding the log files. Other user data is stored here, such as messages (/ var / spool / mail ...). Software that stores data here includes: mail servers (Sendmail, Postfix ...), proxy and FTP software, etc. There should be no binary files here, just log files and data. If you set it noexec to interrupt programs. You can put these files on another partition and make a symbolic link between the directories and / var.

inspired by the article