Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
111112113114115116117118119120
Chapter 5.
105
Secure Installation
Security begins with the first time you put that CD or DVD into your disk drive to install Red Hat
Enterprise Linux. Configuring your system securely from the beginning makes it easier to implement
additional security settings later.
5.1. Disk Partitions
The NSA recommends creating separate partitions for /boot, /, /home, /tmp, and /var/tmp. The reasons
for each are different and we will address each partition.
/boot - This partition is the first partition that is read by the system during boot up. The boot loader
and kernel images that are used to boot your system into Red Hat Enterprise Linux are stored in this
partition. This partition should not be encrypted. If this partition is included in / and that partition is
encrypted or otherwise becomes unavailable then your system will not be able to boot.
/home - When user data (/home) is stored in / instead of in a separate partition, the partition can
fill up causing the operating system to become unstable. Also, when upgrading your system to the
next version of Red Hat Enterprise Linux it is a lot easier when you can keep your data in the /home
partition as it will not be overwritten during installation. If the root partition (/) becomes corrupt your
data could be lost forever. By using a separate partition there is slightly more protection against data
loss. You can also target this partition for frequent backups.
/tmp and /var/tmp - Both the /tmp and the /var/tmp directories are used to store data that doesn't need
to be stored for a long period of time. However if a lot of data floods one of these directories it can
consume all of your storage space. If this happens and these directories are stored within / then your
system could become unstable and crash. For this reason, moving these directories into their own
partitions is a good idea.
5.2. Utilize LUKS Partition Encryption
During the installation process an option to encrypt your partitions will be presented to the user. The
user must supply a passphrase that will be the key to unlock the bulk encryption key that will be used
to secure the partition's data.