All filesystems in Linux must be mounted before they can be used—this is quite simply the mapping of block devices such as a partition on a disk to a path. To most users, this is transparent and happens at boot time, but to those responsible for configuring systems, it needs some attention. For example, the /tmp filesystem is usually writable to all users, and so it is desirable to not let people execute files from this directory as they could put any arbitrary binary in there to be run by themselves or someone else. Thus, this filesystem is often mounted with the noexec flag to achieve exactly this.

The benchmarks in section 1.1 of the CIS Benchmark (entitled Filesystem Configuration) concern exactly these kinds of details and, again, these will need to be tailored to your environment. For example, benchmark 1.1.1.8 recommends disabling the ability to mount FAT filesystems, and section 1.1.5 recommends disabling binary execution on /tmp, as discussed previously. These are both scored benchmarks and, at the time of writing, there should be little need to use or mount FAT volumes or execute files from /tmp. However, in some legacy environments, this could still be required and so this should be applied with some care.

Similarly, there are many recommendations around having separate filesystems for important paths such as /tmp and /var, and also special mount options. All of these will work in a large number of cases but, again, it would be too bold to state that this will work for everyone, especially in preexisting environments, and so these should be applied but with an understanding of the environmental requirements.

Having looked at the implications of the CIS Benchmarks on how filesystems are mounted, we will proceed to look at the recommendations around intrusion detection using file checksumming.