Linux - Hardening
The following Linux distributions can be hardened during provisioning:
Debian starting version 11 and 12
Ubuntu starting version 22.04 and 24.04
Oracle Linux starting version 9
Red Hat Enterprise Linux 9
Recommendations from the CIS Benchmark documents have been followed in order to enforce, harden and secure our Linux operating systems.
Filesystems
Some weak filesystems are disabled in the kernel
Separate mount points for very active filesystems: /var/log, /var/log/audit, /var/tmp
Protection of /var/log, /tmp and /var/tmp
Disabling removable storage
Default Partitioning Scheme
During provisioning, instances are deployed with a standardized LVM partitioning layout. The following logical volumes are created by default:
/
10 GB
Root filesystem
/boot
~1 GB
Boot partition
/boot/efi
~1 GB
EFI system partition
/home
2 GB
User home directories
/opt
4 GB
Optional applications
/var
2 GB
Variable data
/var/log
4 GB
System logs
/var/log/audit
1 GB
Audit logs
/var/tmp
1 GB
Temporary files (persistent)
/tmp
2 GB
Temporary files
swap
2 GB
Swap space
Total allocated space: ~28 GB
Note: The default partitioning scheme may vary depending on the operating system type (RHEL, Debian, Ubuntu) and version. The sizes indicated above are provided for reference purposes.
Storage Allocation Behaviour
When provisioning an instance via ITcare, you can choose:
The size of the system disk
Additional storage volumes if needed
The provisioning process deploys the instance with the default partitioning scheme described above, but does not automatically extend the logical volumes to use all available disk space. The remaining space stays available in the LVM volume group for you to allocate according to your specific needs.
Example 1: Single System Disk (60 GB)
System disk
60 GB
Volume group total
~58 GB
Allocated (default LVs)
28 GB
Available for allocation
~30 GB
Example 2: System Disk (70 GB) + Additional Volume (80 GB)
System disk
70 GB
Additional volume
80 GB (unformatted)
Volume group total (system disk only)
~68 GB
Allocated (default LVs)
28 GB
Available in VG for allocation
~40 GB
Additional volume available
80 GB
Extending Storage After Provisioning
Once your instance is provisioned, you can allocate the available space according to your requirements:
Extend existing logical volumes to increase space for specific mount points (e.g., /var/log, /opt, /home)
Create new logical volumes for application data or databases
Format and mount additional volumes for dedicated storage needs
This approach provides flexibility to adapt the storage layout to your specific application and data requirements.
Secure boot
Ensure root password is required to boot in rescue mode
Sudo usage
Tracing of every usage of sudo command
Process hardening
Several parameters are activated in kernel to protect running processes
Network
Unnecessary or weak network services are disabled (enforced by configuration manager)
Ensure time service is configured and active
IPv6 is disabled
Several kernel parameters are set to protect network
Disable uncommon network protocols
Logging
Centralization of system logs
Ensure that every event is logged
Access and Authentication
Ensure cron service is active and configured
Ensure cron directories are protected
Ensure SSH is active and configured
Force SSH secure protocols and parameters
Ensure idle sessions deactivation
Ensure strong password rules are applied
Ensure sensitive authentication files are protected
Last updated