iCompaas Support

Profile Applicability:
 • Level 2

Description:
 The /home directory contains user home directories and personal data. Mounting /home on a separate partition isolates user data from the root filesystem, improving system stability, security, and ease of backup.

Rationale:
 Having /home on a separate partition limits the impact of filesystem corruption or disk space exhaustion to user data only, preventing system crashes or denial of service. It also allows applying specific mount options and simplifies backup and restoration processes.

Impact:
 Pros:

• Isolates user data from system files.
  

• Limits disk space exhaustion impact to /home.
  

• Simplifies backup and recovery of user data.
  

Cons:

• Requires additional partitioning and disk space allocation.
  

• Incorrect configuration may cause boot or login issues.
  

Default Value:
 By default, /home is often part of the root filesystem and not a separate partition.

Pre-requisites:

• Root or sudo privileges to modify disk partitions and /etc/fstab.
  

• Backup of critical data before repartitioning.
  

Remediation:

Test Plan:

Using Linux command line:

1. Check current mount points:
   

    mount | grep /home

2. Verify /home is mounted on a separate partition:
   

    findmnt /home

3. Check /etc/fstab for /home entry:
   

   grep /home /etc/fstab

   Expected output: /home should be listed as a separate mount point with appropriate options.

Implementation Plan:

Using Linux command line:

1. Create a separate partition or logical volume for /home (using tools like fdisk, lvcreate).
   

2. Format the new partition:
   

    mkfs.ext4 /dev/<partition>

3. Backup current /home contents:
   

    cp -a /home /home_backup

4. Mount the new partition temporarily:
   

    mount /dev/<partition> /mnt

5. Copy back the contents:
   

    cp -a /home_backup/* /mnt/

6. Modify /etc/fstab to mount the new partition at /home with secure options, for example:
   

   /dev/<partition>  /home  ext4  defaults,nodev,nosuid,noexec  0  0

7. Unmount temporary mount:
   

    umount /mnt

8. Mount /home:
   

    mount /home

9. Verify mount and permissions.
   

Backout Plan:

Using Linux command line:

1. Remove or comment out the /home entry in /etc/fstab.
   

2. Unmount /home:
   

   umount /home

3. Restore original /home contents if needed:
   

    cp -a /home_backup/* /home/

4. Reboot system or remount root filesystem.
   

References:

• CIS Amazon Linux 2 Benchmark v3.0.0
  

• NIST SP 800-53 Revision 5 - SC-7