Filesystem mount options #1761
kingsleyzissou
started this conversation in
Ideas
Replies: 1 comment 3 replies
-
@teg @achilleas-k @thozza do you have any thoughts or suggestions on this? |
Beta Was this translation helpful? Give feedback.
3 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Background
Filesystem customizations landed in RHEL8.5 and RHEL9-beta, which means we can specify mountpoints in the blueprints and a partition is created for each supported mountpoint. This now puts us in a much better position with compliance with some of the security standards. There is room to expand on this going forward and I wanted to discuss what would be the best approach for this.
Fstab Options
Some of the benchmarks have specific requirements for the
fstab
options for some of the partitions. There are some similarities between them.CIS
nodev
,nosuid
&noexec
options for the following mountpoints:/tmp
/var/tmp
/dev/shm
nodev
option for the following mountpoints:/home
DISA/STIG
nodev
,nosuid
&noexec
options for the following mountpoints:/tmp
/var/tmp
/var/log
/var/log/audit
/dev/shm
nosuid
option for the following mountpoints:/home
/boot
PCI-DSS
No requirements
Solutions
Expose the fstab options
Do we want to expose setting this options in the blueprints customisations? i.e.
Limitations with this approach
It would not be possible to set
fstab
options for existing partitions such as/boot
& the temp file system/dev/shm
. Would we want to be able to support that?Sensible defaults
Alternatively we could set sensible defaults and update the
fstab
options manually as needed.Limitations
This would be a more manual approach, but could possible be the more straight forward approach to solving this.
Beta Was this translation helpful? Give feedback.
All reactions