starred/hardening

Fork 0

mirror of https://github.com/konstruktoid/hardening.git synced 2026-04-26 09:15:55 +03:00

[GH-ISSUE #118] Unclear instructions on initial partitioning #57

New issue

Closed

opened 2026-03-03 13:58:46 +03:00 by kerem · 2 comments

kerem commented

2026-03-03 13:58:46 +03:00

Owner

Originally created by @KoenDG on GitHub (Apr 30, 2022).
Original GitHub issue: https://github.com/konstruktoid/hardening/issues/118

Originally assigned to: @konstruktoid on GitHub.

The instructions say this do create the following setup during initial installation:

=== Partition the system

/
/boot (rw)
/home (rw,nosuid,nodev)
swap
/var
/var/log (rw,nosuid,nodev,noexec)
/var/log/audit (rw,nosuid,nodev,noexec)
/var/tmp (rw,noexec,nodev,nosuid)

However, the options provided by the installer doesn't allow for setting those flags during initial setup. Or at least: not that I've been able to find.

Second, Are these supposed to be GPT partitions or Logical Volumes? Most articles I'm finding say they're basically the same and LVM is more flexible, but nothing truly explains the difference.

Lastly: Since I'm currently having to boot into the finished installation, I noticed that all the mounts have the default options.

Which according to the manpage means:

defaults
    Use default options: rw, suid, dev, exec, auto, nouser, async, and relatime.

Should that be left in, or removed? Certainly async seems very useful.

So, final questions:

1/ Is there a way to set those flags during initial setup, or do we need to finalize the setup, log in, alter /etc/fstab and reboot?

2/ GPT Partitions or LVM?

3/ Leave defaults mount flag or not?

And also

4/ What about /boot/efi which ubuntu automatically sets as VFAT?

Originally created by @KoenDG on GitHub (Apr 30, 2022). Original GitHub issue: https://github.com/konstruktoid/hardening/issues/118 Originally assigned to: @konstruktoid on GitHub. The instructions say this do create the following setup during initial installation: === Partition the system ``` / /boot (rw) /home (rw,nosuid,nodev) swap /var /var/log (rw,nosuid,nodev,noexec) /var/log/audit (rw,nosuid,nodev,noexec) /var/tmp (rw,noexec,nodev,nosuid) ``` However, the options provided by the installer doesn't allow for setting those flags during initial setup. Or at least: not that I've been able to find. Second, Are these supposed to be GPT partitions or Logical Volumes? Most articles I'm finding say they're basically the same and LVM is more flexible, but nothing truly explains the difference. Lastly: Since I'm currently having to boot into the finished installation, I noticed that all the mounts have the `default` options. Which according to the manpage means: ``` defaults Use default options: rw, suid, dev, exec, auto, nouser, async, and relatime. ``` Should that be left in, or removed? Certainly `async` seems very useful. So, final questions: 1/ Is there a way to set those flags during initial setup, or do we need to finalize the setup, log in, alter `/etc/fstab` and reboot? 2/ GPT Partitions or LVM? 3/ Leave defaults mount flag or not? And also 4/ What about `/boot/efi` which ubuntu automatically sets as VFAT?

kerem closed this issue

2026-03-03 13:58:46 +03:00

kerem commented

2026-03-03 13:58:47 +03:00

Author

Owner

@konstruktoid commented on GitHub (May 2, 2022):

Hi @KoenDG and so sorry for the late reply.
1 - No, sorry to say you'll need to finalize the setup, log in and alter /etc/fstab.
2 - My personal preference is LVM, since it's easy to modify.
3 - Remove defaults mount flag and replace them with the recommended settings or your personal preference, e.g. async.
4 - Since https://github.com/konstruktoid/hardening/pull/114/files, vfat is no longer blocked by default.

@konstruktoid commented on GitHub (May 2, 2022): Hi @KoenDG and so sorry for the late reply. 1 - No, sorry to say you'll need to finalize the setup, log in and alter `/etc/fstab`. 2 - My personal preference is LVM, since it's easy to modify. 3 - Remove defaults mount flag and replace them with the recommended settings or your personal preference, e.g. `async`. 4 - Since https://github.com/konstruktoid/hardening/pull/114/files, `vfat` is no longer blocked by default. <img width="1200" alt="Screenshot 2022-05-02 at 17 18 51" src="https://user-images.githubusercontent.com/7956715/166310283-0ec7891c-ad1a-449d-8e60-54d3862bbc8c.png"> <img width="1200" alt="Screenshot 2022-05-02 at 17 19 17" src="https://user-images.githubusercontent.com/7956715/166310301-582a203e-4681-4708-9ec9-b264a9d182a9.png"> <img width="1200" alt="Screenshot 2022-05-02 at 17 31 50" src="https://user-images.githubusercontent.com/7956715/166310392-4fd904c9-baad-4961-9f8d-0e410e07aaa9.png"> <img width="1200" alt="Screenshot 2022-05-02 at 17 32 58" src="https://user-images.githubusercontent.com/7956715/166310413-6adb9232-6028-4d65-b57f-ad0ef902b12b.png"> <img width="1200" alt="Screenshot 2022-05-02 at 17 34 38" src="https://user-images.githubusercontent.com/7956715/166310431-bd9445ab-8191-4ea4-9ec0-9da12aa46d44.png">

kerem commented

2026-03-03 13:58:47 +03:00

Author

Owner

@KoenDG commented on GitHub (May 3, 2022):

Hi, thanks for your detailed response. I saw these "default" options and no advice concerning it, that was my main motivator to ask.

Thanks for your time.

@KoenDG commented on GitHub (May 3, 2022): Hi, thanks for your detailed response. I saw these "default" options and no advice concerning it, that was my main motivator to ask. Thanks for your time.

No labels

Stale

bug

pull-request

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/hardening#57

No description provided.

Rows
Columns