Hardening a Linux Jump Box: STIG-Aligned Partitioning on Rocky Linux 9

This is a follow-up to my last video, where I built two isolated VLANs (a Dev and a Test network) and proved they couldn't talk to each other, to my production network, or to the internet. That isolation is great for security — but it raises an obvious problem: how do you actually work with machines you've sealed off? The answer is a jump box (a bastion host) — a single, controlled way in. But before that box gets to bridge into my isolated networks, it needs to be hardened, because it becomes a security boundary: if the jump box is compromised, it's the path into the networks I worked so hard to seal. So in this video I build it the way you'd build a bastion in a high-security environment. This episode focuses on the foundation: a STIG-aligned filesystem layout on Rocky Linux 9, and the secure mount options that actually shrink the attack surface. What I cover: What a STIG (Security Technical Implementation Guide) is and why a jump box specifically deserves this level of hardening Why separating filesystems matters — containing disk exhaustion and enabling per-filesystem security options Building the partition layout with LVM during install (and why LVM, so you can resize later) The mount options explained in plain English — nodev, nosuid, and noexec: what each one does and the exact attack each prevents The critical gotchas: why /var must NEVER be noexec, and how to handle /tmp noexec when an installer needs to execute there Applying the options via /etc/fstab and verifying they persist across reboots In the next video, this hardened box — "iceberg-gate" — gets its controlled, on-demand access into the isolated VLANs: a path I can switch ON only when I need it, and OFF the moment I'm done. Note: this is STIG-aligned hardening (the high-value partitioning and mount-option subset), not full DISA STIG compliance — full compliance means passing a complete OpenSCAP scan, which I touch on at the end. 🐧 Tech & Penguin — homelab, Linux, networking, and security, built and broken in public. #homelab #linux #rockylinux #stig #cybersecurity #hardening #bastion #sysadmin #rhcsa #selfhosted #infosec