[Techtalk] Partitioning for security questions

[Terry]

Hi Carla,

On 02/12/2013 21:38, Carla Schroder wrote:
> Hello! So, you are elbow-deep in Debian guts :) I will answer what I
> can.
>

Yes I am, and having a ton o' fun learning new things.

In an effort to be tidier with my mail, I misspelled linuxchix in my 
.forward and forgot an x but in my mail client, I subscribed to the 
right spelling.  LOL.  So I haven't been getting the list mail.  Then 
two weeks of vacation and I just caught it.  Sorry for taking so long to 
respond.

> On Mon, 02 Dec 2013 12:17:10 -0800
> Terry <tech at futurecourse.com> wrote:
> [...]
>>
>> Questions:
>> 1.  As I understand it, the purpose of /var/tmp is to store files
>> that should survive a reboot and /tmp files won't survive a reboot.
>> If I join them together using bind does that change the /var/tmp
>> files' ability to survive a reboot?
>
> No. /var/tmp will still behave as it is supposed to. IMO binding them
> is unnecessarily complex as disk space is cheap and it's easy to give
> them their own partitions. But there may be some cool advantage I'm not
> aware of.

The only advantage I've found so far from binding them is when using 
apt.  See 2 below.  I just have two less configuration directives in 
apt.conf. So I guess not that much of an advantage, really.

I did read this about bind mounts but in my little world, I really don't 
see the advantages of using bind for my system except for the above and 
it makes for a simpler profikle for my VPS.

https://hosam.wordpress.com/2011/02/08/tmpfs-and-bind-mounts/

In doing additional research, I also found that some people were 
recommending loop but no one really gave any reasons as to why they were 
using loop.  Did a little research on loop but am still figuring that 
one out.  I imagine that if you did a lot of disk mounting, unmounting, 
expansion, or had complex configurations, etc., loop and bind might come 
in pretty handy but my server and I are pretty simple kind of gals. :)

>> 2.  Debian recommends adding the following to /etc/apt/apt.conf to
>> forestall any problems with installing/upgrading packages:
>>
>> DPkg::Pre-Invoke{"mount -o remount,exec /tmp";};
>> DPkg::Post-Invoke {"mount -o remount /tmp";};
>>
>> If I decide to go with individual partitions for the tmp directories,
>> presumably I could add similar lines for /var/tmp in case something
>> uses /var/tmp for installation/updating during apt.  Is that correct?
>
> Yes, you can do this for any filesystem.

<snipped>

>> /var/mail & /var/spool/mail
>> 1. In Debian, /var/mail/spool is symlinked to /var/mail so presumably
>> creating a separate partition for /var/mail takes care of
>> /var/spool/mail and I shouldn't have to recreate the sym link.  Is
>> this correct?
>
> Correct.
>
> Please keep us posted on your progress, this is fun stuff :)
>
> Carla

Lots of fun. :) I am excited to get back to it after vacation.

I decided to initially go with a partition for /home and a partition for 
/tmp and binding /var/tmp.

My big step so far towards a more secure system (with respect to 
something I haven't done before) is to replace the Linode-supplied 
kernel with the stock Debian kernel and enable SELinux. So right now I 
am figuring out that beast.  LOL

Steps I've taken so far:
1.  Replaced kernel and enabled SELinux
2.  Installed Configserver Firewall and have that locked down with only 
port 80 outgoing open right now so I can install some packages.
3.  Set up my ssh on a non-standard port, denied root login, only allow 
my user and authenticate only with keys.
4.  Shut the server down and went on vacation. :)

I'm also documenting every step I take which is something I had done 
only piecemeal before.  Since I don't work in IT, I do things on server 
setup and then don't need to do them again for quite a while (read as 
when I get the bug to rebuild everything).  Then I can't remember 
exactly why it was I did something a particular way or exactly how I did 
it.  Hopefully, documenting will make server setup easier next time I 
get the bug.  For example, I always forget to make sure /tmp has the 
correct permissions then I have errors installing packages and have that 
"slap in the head duh" moment.  I remembered this time. :)

My next step is going to be compiling nginx with the naxsi web 
application firewall and creating a deb package.  Haven't done that 
before so that should be interesting.  I set up a development profile 
where I can install all the packages I need to compile and I can then 
reboot to my "production" profile and install my deb nginx package and I 
won't have any compilers on that profile.

Thanks, Carla.  Hope everyone is having a great holiday season. Off to 
see what I can break!

-- 
Terry