CIS compliant LVM partitions

I’m using Kickstart to create an AlmaLinux 8 server with CIS compliant LVM partitions. What is your advise with regards to sizing these?

This is from my kickstart.cfg:

# Partition information

zerombr

# net.ifnames are defined by the host
bootloader --location=boot --append="audit=0 console=tty1 console=ttyS0,115200n8 earlyprintk=ttyS0,115200 rootdelay=300"
clearpart --all --drives=sda --initlabel

# Create primary system partitions (required for installs)
part /boot/efi --fstype=vfat --label EFI --size=500
part /boot --fstype=ext4 --label BOOT --size=1000 --fsoptions="nodev,nosuid,noexec"
part pv.01 --size=1 --ondrive=sda --grow

# Create a Logical Volume Management (LVM) group (optional)
volgroup vgsys pv.01

# Create particular logical volumes (optional)
logvol / --fstype=xfs --name=lv_root --vgname=vgsys --size=4096 --grow
# rhel8cis_rule_1_1_7: Ensure /home Located On Separate Partition
logvol /home --fstype=xfs --name=lv_home --vgname=vgsys --size=1024 --fsoptions="nodev,nosuid,usrquota,grpquota" --grow
# rhel8cis_rule_1_1_2: Ensure /tmp Located On Separate Partition
logvol /tmp --fstype=xfs --name=lv_tmp --vgname=vgsys --size=2048 --fsoptions="nodev,noexec,nosuid"
# rhel8cis_rule_1_1_3: Ensure /var Located On Separate Partition
logvol /var --fstype=xfs --name=lv_var --vgname=vgsys --size=4096 --fsoptions="nodev,noexec,nosuid" --grow
# rhel8cis_rule_1_1_4 Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=xfs --name=lv_vartmp --vgname=vgsys --size=2048 --fsoptions="nodev,noexec,nosuid"
# rhel8cis_rule_1_1_5: Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=lv_log --vgname=vgsys --size=4096 --fsoptions="nodev,nosuid,noexec"
# rhel8cis_rule_1_1_6: Ensure /var/log/audit Located On Separate Partition
logvol /var/log/audit --fstype=xfs --name=lv_adm --vgname=vgsys --size=2048 --fsoptions="nodev,nosuid,noexec"
logvol swap --name=lv_swap --vgname=vgsys --size=2016

Red Hat does have some recommendations for RHEL 8: Appendix E. Partitioning reference Red Hat Enterprise Linux 8 | Red Hat Customer Portal
(They also write that separate /var makes boot more complex. Probably because /var has symlinks /var/run and /var/lock that point to within /run – a tmpfs – and some old services might still access that via /var/*. )

Anyway, it is possible to resize LVs relatively flexibly, provided that there is free space to allocate. I almost never allocate entire physical disk.

The other important detail is that XFS does not shrink. If you need to make filesystem smaller, you have to remove it, create smaller, and restore data. I still use ext4 (and have unallocated space) “just in case”. (I don’t use CIS though.)

If you do have a similar server setup (packages, etc), you can look how it uses space now.
Here are two examples – usage of /, detailed at depth 1 (-d 1):

[desktop]# du -d1 -hx /
1.5G	/var
16K	/lost+found
8.0K	/mnt
4.0K	/media
4.0K	/srv
4.0K	/afs
34M	/etc
228K	/tmp
153M	/root
9.9G	/usr
12G	/

[virthost]# du -d1 -hx /
2.7G	/usr
4.0K	/srv
701M	/tftpboot
525M	/var
4.0K	/home
3.6M	/root
16K	/lost+found
4.0K	/media
28M	/etc
4.0K	/opt
4.0K	/mnt
4.0G	/

just FYI there’s is an AlmaLinux 8 specific benchmark that does differ from the RHEL one, and an update (v3.0.0) is about to be released for it:

https://workbench.cisecurity.org/benchmarks/15287

a few things around partitions has change e.g. ditching home quotas, efi umask etc.

few comments - /tmp should be tmpfs not lvm, and 1gb may be a bit large if /boot/efi exists too. not sure you can have multiple --grow’s either (should just be for /)

i’ve got to upload my updated scripts but you may find some useful stuff here:

You can use reqpart --add-boot to get recommended-sized /boot{,/efi} filesystems, and --recommended for swap, but the others you’re just going to have to feel out because it’s site-specific, depending on what you install and how you operate. My ptable snippet currently has, among others,

/                   --size=32768                                       
/var                --size=4096
/var/cache          --size=8192
/var/crash          --size=2048
/var/lib/dkms       --size=4096
/var/log            --size=4096
/var/log/audit      --size=2048
/var/spool/abrt     --size=2048
/var/tmp            --size=8192
/tmp                --size=8192
swap                --recommended  

but that root filesystem size is because I have hosts with several versions of the ROCm userland installed at five to ten gig a pop, whereas your setups may well be fine with just four. My two-gig /var/crash would likely need to increase to receive actual full kdumps.

Similar to what jlehtone said, as long as you’re conservative with the initial sizes and leave room in the VG, you can expand as you go and feel it out for your circumstances.