I have made modifications to several mountpoints on the system.
By default, /tmp and /var/tmp are part of the filesystem. I made the following modification to /etc/fstab to mount a 20mb slice of memory to those directories. I have also set the mount options to nodev, noexec, and nosuid. This means that those directories will not be able to contain device files or executables. This prevents hackers from uploading an executable to the directories or creating any devices that may circumvent the security.
tmpfs /tmp tmpfs nodev,noexec,nosuid,size=20m 0 0
tmpfs /var/tmp tmpfs nodev,noexec,nosuid,size=20m 0 0
By default, Fedora mounts /dev/shm as a memory filesystem. I added the noexec, nosuid, and nodev options.
tmpfs /dev/shm tmpfs noexec,nosuid,nodev 0 0
By default, /dev/pts is mounted with world-readable permissions for the directory. I added mode=620 so that users would not be able to see who was logged in. The side effect of this is that the users are unable to know what tty they are on. I have not run into any issues with this yet.
devpts /dev/pts devpts gid=5,mode=620 0 0
I have one nfs mount that contains website files. I set it to nosuid and nodev for security, but not noexec as there are files on the nfs mount that need execute permissions. There is also a SELinux boolean called httpd_use_nfs, but I’ll cover that in another post. The nfs mount is set to read-only, which is redundant as the nfs server exports it as read-only.
192.168.1.4:/a1 /a1 nfs timeo=14,intr,vers=3,ro,nosuid,nodev,nolock
There is one mountpoint in Fedora that I could not configure through fstab. It’s /dev/mqueue. In order to add the nodev, noexec, nosuid options, I setup a cronjob that executes the following:
/bin/mount -o remount,nodev,noexec,nosuid /dev/mqueue