Feeling blue? Part 2

So in the first part of this series we did some basics on our browser and discussed how to use a password manager. In this part we will go deeper into the concepts of protecting your desktop and how to think about security and privacy.

Why should I care?

Well for one this is becoming a very important topic and for the layman/woman it is not a easy task to wrap your head around this.

Tinfoil

It might have been somewhat of a lie to say that the basics of security and privacy starts at the browser and password level. Surely they are a integral part, so now it is time to put on the tinfoil hat and get dirty.

Operating system

So the first issue here is what Operating System you are using at the moment. There are several to choose from, or three (Windows, Linux, BSD and OSx). If you feel the need to be safe any of the above is “okay”, if you are using the latest one. As you might imagine I prefer Linux and specifically CentOS. Independent of what your personal choice is remember:

  • Keep the applications and Operating System updated
  • Keep to well known applications and distribution points
  • Always run a script-blocker in the browser
  • Ensure that basic security is adhered to at all times
  • Never trust an email or link
  • If it seems to good to be true take it as a warning sign

Since I mostly use CentOS we will now take it up a notch and start discussing particulars.

Installation

First and foremost let us discuss the source of the medium with which we will install the Operating System. On the website of CentOS you can find mirrors that is geographically close to you so go ahead and download the “Netinstall” image from there. Then proceed to ensure that the image is correct.

To prepare for the installation we need to do some things first…

Information

Base install aims to be a complete, secure and slim Operating System that uses a well-known Linux distribution as the foundation. CentOS 6.X fulfills all the demands and is also widely used due to those facts, but to further develop the concept some changes  has been made. To support newer and a more wide range of packages CentOS 7.X is also used with the same parameters as the above.

Preamble

Hardware

To be able to handle restrictive hardware allocations the guide is based upon hardware with the following specifications:

CPU: 2 core
RAM: 2048MiB
HDD: 20GiB

What you add later is then dependent on the role of the server but this will be enough for most roles (DNS/DHCP/FTP/HTTP).

To be able to fit within this narrow margin but still be able to handle a wild card physical machine follow these rules:

  • At least 2 hard-drives
  • Use RAID to create 2 logical volumes
  • Always use RAID (fake-raid/software if you lack a RAID card)

So if the above is true we will create a logical RAID volume with 20GiB of storage space and let the other logical volume be the second drive where all data storage will take place.

Partitions

The partition scheme is based upon security guides provided by the community and to secure against local file-system vulnerabilities. Each physical disk is split into three  partitions one for the /boot partition, one for the EFI partition and the third for the full disk with LVM. All partitions should be XFS formatted where applicable.

VG0
Mount Size Name Comment
/ 1GiB root Root partition
/tmp 1GiB tmp Temporary files
/usr 4GiB usr Binary and library
/var 2GiB var System variable files
/var/log 1GiB var_log Logfiles
/var/log/audit 512MiB var_log_audit Logfiles
/boot 512MiB boot Boot files and Kernel
/boot/efi 512MiB efi EFI files
/home 1GiB home User files
N/A 1GiB swap Swap file
VG1

 

Mount Size Name Comment
/srv/store0 512GiB store0 Blob storage

When the role of the server/workstation then demands extra storage (database/web/videos) a second harddrive is added. Instead of cluttering the system with partitioned drives there will be two drives (sda and sdb). Where sdb will not contain any MBR/GPT tables but instead it will be a physical volume.

One thought here is that if this is for instance a NFS server where we know that data volumes will be above 2TiB it is suggested that you splice the data over more then one extra hard-drive. This is both true for virtual and physical environments since moving a hard-drive of +2TiB is really time consuming.

There is no magical one-fits-all solutions, if you are going to be using 200TiB NFS server then you might need to think a bit extra ;).

Filesystem

Usually there is a good reason to use for instance /opt, in the documentation here we always use /usr/local. This will contain anything local and unique to the server/workstation. Above all else try and keep to normal shares otherwise, adding complexity will not make normal system tasks easy on the administrators. Also always keep to the thing you decide upon.

Resources

Halmstad Högskola

CentOS wiki

HighOn.Coffee

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s