The Center for Internet Security (CIS) recommends a partitioning scheme for RHEL and compatible distributions, with several directories like /home, /tmp, /var and /var/log on their own partitions. Using the Logical Volume Manager (LVM) keeps the administrative effort for later resizing manageable.
CIS recommends separate partitions for seven directories with the following mount options:
| Directory | nodev |
nosuid |
noexec |
|---|---|---|---|
/tmp |
✓ | ✓ | ✓ |
/dev/shm |
✓ | ✓ | ✓ |
/home |
✓ | ✓ | |
/var |
✓ | ✓ | |
/var/tmp |
✓ | ✓ | ✓ |
/var/log |
✓ | ✓ | ✓ |
/var/log/audit |
✓ | ✓ | ✓ |
/dev/shm is already tmpfs by default on RHEL and doesn't need to be defined in the Kickstart file.
The maintained version lives in the Linuxfabrik/kickstart repo as part_cis inside
lf-rhel.cfg
. We extend the CIS scheme with an additional /backup partition (for local backups, e.g. via linuxfabrik.lfops.borg_local), totaling eight mountpoints plus swap:
logvol / --fstype="xfs" --size=4096 --vgname=rl --name=root
logvol /backup --fstype="xfs" --size=1024 --vgname=rl --name=backup --fsoptions="nodev,noexec,nosuid"
logvol /home --fstype="xfs" --size=1024 --vgname=rl --name=home --fsoptions="nodev,nosuid"
logvol /tmp --fstype="xfs" --size=1024 --vgname=rl --name=tmp --fsoptions="nodev,noexec,nosuid"
logvol /var --fstype="xfs" --size=4096 --vgname=rl --name=var --fsoptions="nodev,nosuid"
logvol /var/log --fstype="xfs" --size=2048 --vgname=rl --name=var_log --fsoptions="nodev,noexec,nosuid"
logvol /var/log/audit --fstype="xfs" --size=512 --vgname=rl --name=var_log_audit --fsoptions="nodev,noexec,nosuid"
logvol /var/tmp --fstype="xfs" --size=1024 --vgname=rl --name=var_tmp --fsoptions="nodev,noexec,nosuid"
logvol swap --fstype="swap" --recommended --vgname=rl --name=swapThe volume group is named rl (Rocky Linux). On a RHEL install it might be rhel; the name is purely conventional and can be adjusted.
/dev/shm is automatically mounted as tmpfs with nodev,nosuid,noexec provided that /etc/fstab carries the corresponding line. On RHEL this is already the default./home and /var deliberately omit noexec, as those locations legitimately host executables (user scripts, packages under /var/lib)./var/log and /var/log/audit make sense, depending on log volume.