Using separate disk partitions for OS and user data can prevent a "file system full" error from impacting the operation of a server. For example, you can create separate partitions for /home, /tmp, /oracle, and so on.

Establishing disk quotas can prevent a user from filling up a file system (intentionally or not) and therefore denying access to other users.

To prevent the OS files and utilities from being altered during an intrusion, you can mount the /usr file system with read-only permissions. If you need to update any RPMs on the file system, use the -o remount,rw option with the mount command to remount /usr for both read and write access. After performing the update, you can use the -o remount,ro option to return the /usr file system to read-only mode.

To limit user access to non-root local file systems such as /tmp or removable storage partitions, you can specify the -o noexec, nosuid, nodev options to mount. These options prevent the execution of binaries (but not scripts), prevent the setuid bit from having any effect, and prevent the use of device files.

To check for unowned files and directories on each file system, use the find command:

sudo find mount_point -mount -type f -nouser -o -nogroup -exec ls -l {} \;

Unowned files and directories can be associated with a deleted user account, and that might indicate an error with software installation or removal, or they might a sign of an intrusion on the system. You can correct the permissions and ownership of the files and directories that you find, or remove them. Investigating and correcting the problem that led to their creation is considered good security practice.

To check for world-writable directories on each file system, use the find command:

sudo find mount_point -mount -type d -perm /o+w -exec ls -l {} \;

Investigating any world-writable directory that's owned by a user other than a system user is considered good security practice. If the user can remove or change any file that other users write to the directory, you can correct the permissions and ownership of any directories that you find or remove them.

You can also use the find command to check for setuid and setgid executables.

sudo find path -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;

If the setuid and setgid bits are set, an executable can perform a task that requires other rights, such as root privileges. However, buffer overrun attacks can still exploit those executables to run unauthorized code with the rights of the exploited process.