How-To: Custom Partition for Security

My question is: How do I create the custom partitions required for a ‘secure’ setup?

I have an automatic setup server up and running :smiley: The 24 hour startup / burn-in period will complete in 3 hours. HOWEVER I did notice that more specific partitioning is required for secure servers.

  • I explored the disk allocation menu but saw nothing that allowed customized partitioning. :thinking:
  • I tried to go to the security section first - no joy.



As far as ‘I’ recall, ‘custom’ partitioning during ‘manual’ installation has been going down the toilet, or disappearing altogether, for some time now (10+ years).
Using Kickstart and it’s partition/filesystem definition sections has been the only method that ‘I’ know of, to create whatever layout you’d want…

Thanks Lothar. I guess I have to learn Kickstart if I want to enable those security requirements as listed in the security program. :thinking: The lack of a manual partitioning system feels like an oversight as I can’t be the only person who wants to create a more robust, more secure server.


It also gives you complete control of what packages (or package ‘groups’) you want (or don’t want) installed…

The advantage of having a Kickstart environment (which is harder to setup the first time, than just periodically upgrading it with each new release) is that its ‘self-documenting’, and once you have the process configured, you can just rebuild a system ‘over and over’ without having to go thru that manual process of ‘selection’ each time…

If you get a Kickstart environment setup, or build from an Anaconda (host-config) file, here’s a snippet from my ‘standard’ O/S drive layout:

# EL 7.x (and greater) 'default' LVM software RAID disk layout
# Disk to install to.  On SmartArray systems, this will be 'cciss/c0d0'.  On
# IDE systems, it will be 'hda'.  On SCSI/SATA systems, it will be 'sda'.
ignoredisk --only-use=sda


# System bootloader installation.  The first disk in the driveorder should
# be the same disk as '--only-use' above
bootloader --location=mbr --driveorder=sda

# Clear the Master Boot Record

# Clear all partitions and re-initialize for Linux (MSDOS) style partitions
clearpart --all --initlabel

## 'Fixed' partitioning for first 'primary'
##  partitions.  Extended partitons and LVM area dynamically created to
##  fit size of physical drive device.
part /boot --fstype=ext4 --ondisk=sda --label=/boot --size=512
# These partitions will reside in an LVM area, using the rest of the
#   drive space (regardless of size):
part pv.1 --fstype="lvmpv" --ondisk=sda --size=16384 --grow
volgroup osdisk_vg --pesize=32768 pv.1
logvol /    --fstype=ext4 --name=root_lv --vgname=osdisk_vg --size=8196
logvol swap --fstype=swap --name=swap_lv --vgname=osdisk_vg --size=16384
logvol /var --fstype=ext4 --name=var_lv  --vgname=osdisk_vg --size=8192
logvol /tmp --fstype=ext4 --name=tmp_lv  --vgname=osdisk_vg --size=2048
logvol /export/home --fstype=ext4 --name=home_lv --vgname=osdisk_vg --size=2048
logvol /opt --fstype=ext4 --name=opt_lv  --vgname=osdisk_vg --size=4096

I am confused by this post. Are you talking about the GUI installer doing a manual install? Separate var home and tmp partitions is easy using the GUI installer. Instead of automatic partitioning just choose manual. You must be talking about something else?

I am trying to partition for a ‘secure’ setup. I need to have many more separate partitions - something I have not yet managed to accomplish. This is an answer to my request for information.