# Linux - Hardening The following Linux distributions can be hardened during provisioning: * Debian starting version 11, 12 and 13 * Ubuntu starting version 22.04 and 24.04 * Oracle Linux starting version 9 * Red Hat Enterprise Linux 9 Recommendations from the [CIS Benchmark documents](https://www.cisecurity.org/benchmark) have been followed in order to enforce, harden and secure our Linux operating systems. ## Filesystems * Some weak filesystems are disabled in the kernel * Separate mount points for very active filesystems: /var/log, /var/log/audit, /var/tmp * Protection of /var/log, /tmp and /var/tmp * Disabling removable storage ### Default Partitioning Scheme During provisioning, instances are deployed with a standardized LVM partitioning layout. The following logical volumes are created by default: | Mount Point | Size | Purpose | | -------------- | ------ | ---------------------------- | | / | 10 GB | Root filesystem | | /boot | \~1 GB | Boot partition | | /boot/efi | \~1 GB | EFI system partition | | /home | 2 GB | User home directories | | /opt | 4 GB | Optional applications | | /var | 2 GB | Variable data | | /var/log | 4 GB | System logs | | /var/log/audit | 1 GB | Audit logs | | /var/tmp | 1 GB | Temporary files (persistent) | | /tmp | 2 GB | Temporary files | | swap | 2 GB | Swap space | **Total allocated space: \~28 GB** > **Note:** The default partitioning scheme may vary depending on the operating system type (RHEL, Debian, Ubuntu) and version. The sizes indicated above are provided for reference purposes. ### Storage Allocation Behaviour When provisioning an instance via ITcare, you can choose: * The size of the system disk * Additional storage volumes if needed The provisioning process deploys the instance with the default partitioning scheme described above, but **does not automatically extend the logical volumes** to use all available disk space. The remaining space stays available in the LVM volume group for you to allocate according to your specific needs. #### Example 1: Single System Disk (60 GB) | Component | Size | | ---------------------------- | ----------- | | System disk | 60 GB | | Volume group total | \~58 GB | | Allocated (default LVs) | 28 GB | | **Available for allocation** | **\~30 GB** | #### Example 2: System Disk (70 GB) + Additional Volume (80 GB) | Component | Size | | ------------------------------------- | ------------------- | | System disk | 70 GB | | Additional volume | 80 GB (unformatted) | | Volume group total (system disk only) | \~68 GB | | Allocated (default LVs) | 28 GB | | **Available in VG for allocation** | **\~40 GB** | | **Additional volume available** | **80 GB** | ### Extending Storage After Provisioning Once your instance is provisioned, you can allocate the available space according to your requirements: * **Extend existing logical volumes** to increase space for specific mount points (e.g., /var/log, /opt, /home) * **Create new logical volumes** for application data or databases * **Format and mount additional volumes** for dedicated storage needs This approach provides flexibility to adapt the storage layout to your specific application and data requirements. ## Secure boot * Ensure root password is required to boot in rescue mode ## Sudo usage * Tracing of every usage of sudo command ## Process hardening * Several parameters are activated in kernel to protect running processes ## Network * Unnecessary or weak network services are disabled (enforced by configuration manager) * Ensure time service is configured and active * IPv6 is disabled * Several kernel parameters are set to protect network * Disable uncommon network protocols ### RHEL 9 Specifics — Firewall (firewalld) On **Red Hat Enterprise Linux 9** instances, the `firewalld` service is **enabled and started by default** from provisioning. The default zone applied is `public`, which enforces a **deny-by-default** policy on incoming traffic: all inbound traffic is blocked unless explicitly allowed. By default, only the following services are permitted inbound: | Service | Port(s) | | ------------- | ------- | | SSH | TCP 22 | | DHCPv6-client | UDP 546 | > **Note:** Outbound traffic is allowed by default. If your application requires additional open ports, you will need to add explicit firewalld rules using `firewall-cmd` or through your configuration management tool (e.g., Puppet). ## Logging * Centralization of system logs * Ensure that every event is logged ## Access and Authentication * Ensure cron service is active and configured * Ensure cron directories are protected * Ensure SSH is active and configured * Force SSH secure protocols and parameters * Ensure idle sessions deactivation * Ensure strong password rules are applied * Ensure sensitive authentication files are protected --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://academy.cegedim.cloud/compute/virtual-instances/virtual-instances-features/linux-hardening.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.