Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Product Name

CIS Hardened Images® (AWS)

Product Version

All

Date



Problem

Info

I would like to increase the partition size in my Linux Hardened Image, but I am worried it will compromise security recommendations in place. Do you have any guidance or best practices on how to increase partition size without compromising the controls in place (either technically or the spirit of the controls themselves)?

Solution

A part of CIS hardening is dedicating a separate partition for /var/log specifically recommendation 1.1.15 “Ensure separate partition exists for /var/log”. Keeping the default size for /var/log to 6gb helps keep costs low by ensuring the AMIs use as little Block Storage as possible. However, it can certainly be resized for the end user’s needs. Deleting/re-creating the partition is certainly a viable option, the main hardening in line is ensuring it is separate from the rest of the system to protect against resource exhaustion and to protect audit data. However, when the partition is created and mounted, the security context is also changed via SELinux with the chcon -t var_log_t /mnt command (Mounted the created partition at /mnt while building). Also, keep in mind being in accordance with the benchmark and also the noted impact of the recommendation 1.1.15.

Note

Impact:

Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.

Keywords; partition increase

Content by Label

Filter by label (Content by label)
showLabelsfalse
showSpacefalse
cqllabel = "sbp_fer"

Copyright © 2020

Center for Internet Security®


Page Properties
hiddentrue

Action

Name(s)

Date

Linked ticket

https://cisecurity.atlassian.net/browse/SUPPORT-14456

Created by

Nick Romanzo

Reviewed by

Approved by

Remove by