By having more control on mounting the cache directory of Squid, if you have created the cache directory of Squid in a separate partition of your Linux system i.e. /cache, like we have done during the install setup, then you can use
the noexec, nodev, and nosuid features to improve and consolidate the cache security. These features can be set up in the /etc/fstab file to tell the system to not allow execution of any binaries; noexec
to not interpret character or block special devices; nodev and to not allow set-user-identifier or set-group-identifier bits to take effect, nosuid on the mounted file system /cache in our example.
Applying this procedure on the partition where the Squid Cache resides will help to eliminate the possibility of DEV, SUID/SGID, and execution of any binaries.
As an example, assuming /dev/sda8 is the partition in the system where the /cache directory of Squid lives, you must edit the fstab
file, vi /etc/fstab and change the line related to /dev/sda8:
/dev/sda8 /cache ext2 defaults 1 2
/dev/sda8 /cache ext2 noexec,nodev,nosuid 1 2
Dont you forget to reboot your system for the changes to take effect.
You should immunize important configuration file like squid.conf. As we already know, the immutable bit can be used to prevent deletion, overwriting, or creation of a symbolic link to a file. Once your squid.conf
file has been configured, it's a good idea to immunize it with the following command:
[root@deep /]# chattr +i /etc/squid/squid.conf