Product Name
CIS Hardened Images® (AWS)
Product Version
All
Date
Problem
I would like to increase the partition size in my Linux Hardened Image, but I am worried it will compromise security recommendations in place. Do you have any guidance or best practices on how to increase partition size without compromising the controls in place (either technically or the spirit of the controls themselves)?
Solution
A part of CIS hardening is dedicating a separate partition for /var/log. Keeping the default size for /var/log to 6gb helps keep costs low by ensuring the AMIs use as little Block Storage as possible. However, it can certainly be resized for the end user’s needs. Deleting/re-creating the partition is certainly a viable option , the main hardening in line is ensuring it is separate from the rest of the system to protect against resource exhaustion and to protect audit data. However, when we create the partition and mount it, we also change the security context of it via SELinux with our chcon -t var_log_t /mnt
command (Mounted the created partition at /mnt while building). I would also keep in mind in accordance with the benchmark the noted impact of the recommendation I speak of.
Impact:
Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.
Add Comment