topic Re: mount filesystem with nosuid, nodev and ro options in Operating System - HP-UX

mount filesystem with nosuid, nodev and ro options

S.S. — Thu, 17 Dec 2009 06:54:57 GMT

Hi,

We need to mount the following existance filesystems with the following options:

• /var – nosuid, nodev
• /tmp – nosuid, nodev
• /usr - readonly

The current /etc/fstab contains:
/dev/vg00/lvol3 / vxfs delaylog 0 1
/dev/vg00/lvol1 /stand hfs defaults 0 1
/dev/vg00/lvol4 /home vxfs delaylog 0 2
/dev/vg00/lvol5 /opt vxfs delaylog 0 2
/dev/vg00/lvol6 /tmp vxfs delaylog 0 2
/dev/vg00/lvol7 /usr vxfs delaylog 0 2
/dev/vg00/lvol8 /var vxfs delaylog 0 2
/dev/vg00/lvol9 /var/adm/crash vxfs delaylog 0 2
/dev/vg00/dba /dba vxfs delaylog 0 2
/dev/vg00/userdata /userdata vxfs delaylog 0 2
/dev/vg00/swap1 ... swap pri=1 0 0

how we can remount the /var, /tmp, /usr filesystems with nosuid, nodev and ro switch.

We want to do this in the production system. May i know the criticality and does it requires any downtime ?

Re: mount filesystem with nosuid, nodev and ro options

Matti_Kurkela — Thu, 17 Dec 2009 07:49:58 GMT

/var, /tmp and /usr are all vxfs filesystems, so you should read "man mount_vxfs".

First, the "nodev" option does not seem to exist in HP-UX vxfs. Are you applying Linux hardening instructions to a HP-UX system?

The general syntax for remounting is:

mount -o remount,

There are also some restrictions for remounting a filesystem. From the HP-UX 11.23 mount_vxfs man page:
----
remount

Change the mount options for a mounted file system. In particular, remount changes the logging and caching policies. It also changes a files system from read-only to read/write.

remount cannot change a file system from read/write to read-only, nor can it set the snapof or snapsize attributes.

remount does not check possible changes in /etc/fstab. If you use any specific option, you must explicitly pass it in the command line.
----

Looks like remounting /usr to read-only will not be possible without downtime. If you want to do this, you must add the "ro" option to /etc/fstab and reboot the system.

Setting /var and /tmp to nosuid without downtime may or may not be possible: you should try it in a test system first. For example:

mount -o remount,delaylog,nosuid /var

Of course you should realize that installing most patches will be impossible when /usr is mounted read-only.

MK

Re: mount filesystem with nosuid, nodev and ro options

Canon_3 — Fri, 18 Dec 2009 06:23:19 GMT

Hi MK,

Thanks for your reply.

1. I am a new member to this site. Could you pls guide me how could i assign points.

2. Our's is HP-UX B.11.11 U 9000/800 environment.

3. This task is a part of our security baseline.

4. In our /etc/fstab file on production server we have:
dev/vg00/lvol3 / vxfs delaylog 0 1
/dev/vg00/lvol1 /stand hfs defaults 0 1
/dev/vg00/lvol4 /home vxfs delaylog 0 2
/dev/vg00/lvol5 /opt vxfs delaylog 0 2
/dev/vg00/lvol6 /tmp vxfs delaylog 0 2
/dev/vg00/lvol7 /usr vxfs delaylog 0 2
/dev/vg00/lvol8 /var vxfs delaylog 0 2
/dev/vg00/lvol9 /var/adm/crash vxfs delaylog 0 2
/dev/vg00/dba /dba vxfs delaylog 0 2
/dev/vg00/userdata /userdata vxfs delaylog 0 2
/dev/vg00/swap1 ... swap pri=1 0 0

If we see the output of the "bdf" command we have apps filesystems.

I guess the apps filesystems are not added in the /etc/fstab file.

As per my knowledge, if the filesytem entry is not added in the /etc/fstab file, after reboot that filesystem will not automatically mount. Am i right ?

Pls find the output of bdf command:

$ bdf
Filesystem kbytes used avail %used Mounted on
/dev/vg00/lvol3 2097152 268640 1814264 13% /
/dev/vg00/lvol1 314736 64184 219072 23% /stand
/dev/vg00/lvol8 10485760 7740496 2723888 74% /var
/dev/vg00/lvol9 25165824 1814768 22986264 7% /var/adm/crash
/dev/vg00/lvol7 8388608 1502032 6832824 18% /usr
/dev/vg00/userdata 4292608 1692818 2455708 41% /userdata
/dev/vg00/lvol6 8388608 1100128 7250080 13% /tmp
/dev/vg00/lvol5 10485760 7144792 3314928 68% /opt
/dev/vg00/lvol4 8388608 2808864 5538360 34% /home
/dev/vg00/dba 8388608 4748234 3530428 57% /dba
/dev/vgexeprod/rmanexe
10485760 4188414 6100588 41% /rmanexe
/dev/vgexeprod/prodexe
104857600 58399600 46095552 56% /prodexe
/dev/vgdata1prod/proddb1
1073577984 666897232 403503576 62% /proddb1
/dev/vgdata2prod/proddb2
1073577984 479547080 589390080 45% /proddb2
/dev/vgappsdata/prodspool
83886080 75110228 8775852 90% /prodspool
/dev/vgappsdata/prodedi
79691776 70938560 8717864 89% /prodedi
/dev/vgappsdata/comets
5242880 433307 4509031 9% /comets
/dev/vgappsdata/canpcdata
5242880 233197 4696617 5% /canpcdata
/dev/vgappsdata/rmandb
10485760 2069630 8153130 20% /rmandb
/dev/vglogsprod/prodarch2
62914560 7468456 55013064 12% /prodarch
/dev/vglogsprod/prodredo2
10485760 3736312 6538596 36% /prodredo
/dev/vgdata3prod/proddb3
512000000 184876720 324567640 36% /proddb3
/dev/vgdata4prod/proddb4
512000000 139300520 369787776 27% /proddb4
$

It is in cluster and the package is running in this server.

May i know the reason why the other filesystem entries are not added in /etc/fstab file.

Thanks & Regards
Swetha

Re: mount filesystem with nosuid, nodev and ro options

Michal Kapalka (mikap) — Fri, 18 Dec 2009 06:35:35 GMT

hi,

check this link "How Do I Assign Points?"

http://forums11.itrc.hp.com/service/forums/helptips.do?#33

mikap

Re: mount filesystem with nosuid, nodev and ro options

Torsten. — Fri, 18 Dec 2009 06:50:05 GMT

IMHO it will be not possible or result in strange behavior if you try to mount things like /var or /usr read-only.

Maybe the system will not even run, but certainly it will not log anything.

What should be the reason for this?

Re: mount filesystem with nosuid, nodev and ro options

Horia Chirculescu — Fri, 18 Dec 2009 07:32:37 GMT

Hello,

"It is in cluster and the package is running in this server.

May i know the reason why the other filesystem entries are not added in /etc/fstab file."

The "other" filesystems that you can not find in /etc/fstab are mounted by the cluster.

You can check the scripts within /etc/cmcluster/
in order to see what will be mounted and where.

Best regards,
Horia.

Re: mount filesystem with nosuid, nodev and ro options

Matti_Kurkela — Fri, 18 Dec 2009 07:35:08 GMT

1.) already covered by Michal.

2.) HP-UX B.11.11 is the OS version. It also has the marketing name "HP-UX 11i v1".
9000/800 is two thirds of the complete model designation of the server. Essentially it says "a PA-RISC server of some model".

The missing part would have identified the exact model. Fortunately it seems to have been unimportant for your questions, otherwise the people answering you would have felt a little bit frustrated.

9000 = it has a PA-RISC processor
800 = it is a server, not a workstation.

In HP-UX, the "model" command will output the complete model identification.

3.) Yes, but it appears your security baseline may have been designed for Linux or some other unix-like system, not specifically for HP-UX. Not all Linux instructions can be applied to HP-UX as-is, because the operating systems are different.

4.) /etc/fstab is the usual place for configuring filesystems to be automatically mounted, sure. But if a filesystem is configured there, the system will *always* try to mount it. If the intent is to mount the filesystem only when some conditions are met, the configuration needs to be done differently.

You say this server is part of a cluster. That would explain it: HP-UX 11.11 does not have a cluster filesystem, so any filesystems that may be mounted on other cluster nodes need a control mechanism that makes sure the filesystem is mounted by one node at a time only. The cluster software includes this control mechanism.

The filesystems related to cluster packages are configured in the cluster configuration, not in /etc/fstab.

Usually the cluster software is started when the system boots: it will attempt to contact all the other cluster nodes and verify which package filesystems are mounted on each node. If the system cannot access other cluster nodes, it assumes it has been isolated by a network failure. Other nodes within a working part of the network may be using the filesystems, so the only safe option is to not mount any package filesystems at all in this situation.

MK

Re: mount filesystem with nosuid, nodev and ro options

S.S. — Mon, 21 Dec 2009 08:28:00 GMT

As suggested by Horia and MK these filesystems are available at
/etc/cmcluser/.cntl file

Closing thread.

Thanks all for responding and spending your valuable time.

Re: mount filesystem with nosuid, nodev and ro options

S.S. — Mon, 21 Dec 2009 08:32:05 GMT

As suggested by Horia and MK these filesystems are available at
/etc/cmcluser/.cntl file

Closing thread.

Thanks all for responding and spending your valuable time.