Filesystem Security

I don't do much with the filesystems as far as security goes, but I do add a few things to /etc/fstab in order to make a machine a little more secure. Included with the 2.4 kernel there is the tmpfs filesystem. This is basically a memory filesystem that resides on your system during operation. Things stored here will be lost any time you reboot - so it is important that only temporary data goes there.

Redhat ships with /dev/shm mounted as one of these filesystem types. Redhats default way of creating a /tmp filesystem is that it resides within your root filesystem /. I'm not a big fan of this behavior, so I change it, and make sure that the /tmp filesystem cannot include /dev devices and no SUID binaries - I also apply those attributes to /dev/shm by having these entries in /etc/fstab:

none                    /dev/shm                tmpfs   rw,nosuid,nodev         0 0
none                    /tmp                    tmpfs   rw,nosuid,nodev         0 0

Keep in mind that you should not store things in /tmp - else they will disappear on any reboot. But this way of keeping a /tmp filesystem increases security, as a lot of exploits try to place a SUID shell in /tmp - and they would fail now.