Mount option local filesystem
151 views
Skip to first unread message
Patrick de Ruiter
Jan 20, 2014, 5:56:26 AM1/20/14
to help-c...@googlegroups.com
Hi Guys,
bundle agent storage
{
storage:
linux::
"/usr" mount => options1("nodev");
"/home" mount => options1("nodev");
"/opt" mount => options1("nodev");
"/export" mount => options1("nodev");
"/data" mount => options1("nodev");
"/var" mount => options1("nodev");
"/var/log" mount => options1("nodev,noexec,nosuid");
"/var/log/audit" mount => options1("nodev,noexec,nosuid");
"/tmp" mount => options1("nodev,noexec,nosuid");
}
{
mount_options => {"$(opts)"};
edit_fstab => "true";
}
as far I a can see and understand, the syntax is correct but it bails out with the following error:
For PCI-DSS compliance our systems need to be hardened, I'm using the CIS and NSA guidelines to achieve this.
One of the steps in the guideline is to set the nosetuid, noexec and nodev mount options on the appropriate filesystems.
To achieve this I wrote the following promise:
bundle agent storage
{
storage:
linux::
"/usr" mount => options1("nodev");
"/home" mount => options1("nodev");
"/opt" mount => options1("nodev");
"/export" mount => options1("nodev");
"/data" mount => options1("nodev");
"/var" mount => options1("nodev");
"/var/log" mount => options1("nodev,noexec,nosuid");
"/var/log/audit" mount => options1("nodev,noexec,nosuid");
"/tmp" mount => options1("nodev,noexec,nosuid");
}
{
mount_options => {"$(opts)"};
edit_fstab => "true";
}
as far I a can see and understand, the syntax is correct but it bails out with the following error:
2014-01-20T11:02:27+0100 error: Insufficient specification in mount promise - need source and server
It looks like the promise type "storage" and more specific the mount statement can only be used with nfs servers.
is this assumption correct?, or am I doing something wrong?
Please enlighten me.
Cheers,
Patrick
Nick Anderson
Jan 20, 2014, 6:35:37 AM1/20/14
to Patrick de Ruiter, help-c...@googlegroups.com
Yes, storage type promises are for NFS currently. https://cfengine.com/docs/master/reference-promise-types-storage.html
--
You received this message because you are subscribed to the Google Groups "help-cfengine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengin...@googlegroups.com.
To post to this group, send email to help-c...@googlegroups.com.
Visit this group at http://groups.google.com/group/help-cfengine.
For more options, visit https://groups.google.com/groups/opt_out.
Beto
Jan 20, 2014, 7:57:24 AM1/20/14
to help-c...@googlegroups.com
You may be able to adapt this to your requirements:
# Description:
# 1. Ensure file systems requiring the nosuid mount option
# are correctly mounted.
# 2. Ensure root file system is mounted with the log option.
#
# /etc/fstab will be edited and file systems will be remounted as
# needed.
#
#########################################################
#
# Check /etc/fstab
bundle agent fstab
{
vars:
"Fstab" -> { "GEN002420, GEN003640" }
comment => "CAT II UNIX STIG: 3.12.1 Set User ID (suid); 3.21 File Systems",
string => "/etc/fstab";
"fstab"
comment => "Read /etc/fstab into array",
slist => readstringlist(
"$(Fstab)",
"#[^\n]*",
"\n",
"256",
"8192"
);
"nosuid_filesystems"
comment => "Pattern to match file systems that require nosuid",
string => "^(/dev/|\w+:)((?!\s(/|/media/\w+|/opt|/opt/applmgr(/\S*)?|/opt/oracle|/proc|swap|/tmp|/usr|/var)\s).)*$";
"nosuid"
comment => "Pattern to match file systems that have no nosuid option",
string => "^((?[\s,]).)*$";
"may_need_nosuid"
comment => "List of file systems to check for nosuid option",
slist => grep("$(nosuid_filesystems)","fstab");
"need_nosuid"
comment => "List of file systems that need nosuid option added",
slist => grep("$(nosuid)","may_need_nosuid");
hpux::
"log_filesystems"
comment => "Pattern to match file systems that require log option (currently only /)",
string => "^.*\s+(/)\s+.*$";
"logopt"
comment => "Pattern to match file systems that have no log option",
string => "^((?[\s,]).)*$";
"may_need_logopt"
comment => "List of file systems to check for log option",
slist => grep("$(log_filesystems)","fstab");
"need_logopt"
comment => "List of file systems that need log option added",
slist => grep("$(logopt)","may_need_logopt");
files:
any::
"$(Fstab)"
comment => "Edit /etc/fstab",
edit_line => set_fstab_options,
edit_defaults => std_defs,
create => "true";
methods:
any::
"ok" usebundle => remount("$(need_nosuid)","nosuid","suid");
"ok" usebundle => remount("$(need_logopt)","log","delaylog|tmplog");
}
bundle agent remount(fs,opt,nopt)
{
#########################################################
#
# remount a file system
#
# This bundle takes as input:
# fs - the file system entry from fstab
# opt - the new mount option
# nopt - any conflicting mount option(s) that should be removed
vars:
hpux::
"fs_type" string => "-F";
"mount" string => "/sbin/mount";
linux::
"fs_type" string => "-t";
"mount" string => "/bin/mount";
remount::
"mount_options_old" slist => splitstring("$(fs_ent[4])",",","9");
"mount_options_tmp" slist => { "remount", "@(mount_options_old)", "$(opt)" };
"mount_options_new" slist => grep("(?!${nopt}).*","mount_options_tmp");
"mount_options" string => join(",","mount_options_new");
classes:
"remount"
comment => "Extract device, fstype, options and mount point into array",
expression => regextract("([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)\s.*","$(fs)","fs_ent");
"have_mount_options"
expression => isvariable("mount_options");
commands:
have_mount_options.(!debug)::
"$(mount) $(fs_type) $(fs_ent[3]) -o $(mount_options) $(fs_ent[1]) $(fs_ent[2])"
comment => "Remount a file system";
reports:
have_mount_options.debug::
"$(fs_ent[2]) mount_options_old [$(mount_options_old)]";
"$(fs_ent[2]) mount_options_tmp [$(mount_options_tmp)]";
"$(fs_ent[2]) mount_options_new [$(mount_options_new)]";
"$(fs_ent[2]) mount_options [$(mount_options)]";
"Remount needed: $(mount) $(fs_type) $(fs_ent[3]) -o $(mount_options) $(fs_ent[1]) $(fs_ent[2])"
comment => "Turn on debugging with \"cf-agent -KIb mount_nfs -Ddebug -f ./promises.cf\"";
}
bundle edit_line set_fstab_options
{
field_edits:
# do add before remove to avoid creating a blank field
"$(fstab.nosuid_filesystems)"
comment => "Add nosuid mount option",
edit_field => col("\s+","4","nosuid","append");
"$(fstab.nosuid_filesystems)"
comment => "Remove suid mount option",
edit_field => col("\s+","4","suid","delete");
"$(fstab.log_filesystems)"
comment => "Add log mount option",
edit_field => col("\s+","4","log","append");
"$(fstab.log_filesystems)"
comment => "Remove delaylog mount option",
edit_field => col("\s+","4","delaylog","delete");
Ted Zlatanov
Jan 20, 2014, 10:11:27 AM1/20/14
to help-c...@googlegroups.com
On Mon, 20 Jan 2014 04:57:24 -0800 (PST) Beto <bwi...@gmail.com> wrote:
B> You may be able to adapt this to your requirements:
...
Please also look at the CFEngine standard library:
bundle edit_line fstab_option_editor(method, mount, option)
in masterfiles.git/lib/3.6/files.cf (added recently).
I think it's similar to Beto's solution. Beto, if you want to compare
the two and maybe merge them, I can add that to the stdlib. I like your
approach :)
Ted
B> You may be able to adapt this to your requirements:
...
Please also look at the CFEngine standard library:
bundle edit_line fstab_option_editor(method, mount, option)
in masterfiles.git/lib/3.6/files.cf (added recently).
I think it's similar to Beto's solution. Beto, if you want to compare
the two and maybe merge them, I can add that to the stdlib. I like your
approach :)
Ted
Beto
Jan 21, 2014, 11:11:14 AM1/21/14
to help-c...@googlegroups.com
...
Actually, it can be reworked to use fstab_option_editor as is, as below. Is this what you had in mind?
cat fstab.cf
#########################################################
#
# fstab.cf - check fstab options
#
# 1. Ensure file systems requiring the nosuid mount option
# are correctly mounted.
# 2. Ensure root file system is mounted with the log option.
#
# /etc/fstab will be edited and file systems will be remounted as
# needed.
#
bundle agent fstab
{
vars:
"Fstab" -> { "GEN002420, GEN003640" }
comment => "CAT II UNIX STIG: 3.12.1 Set User ID (suid); 3.21 File Systems",
string => "/home/admin/ringerso/inputs/fstab";
comment => "add nosuid option",
edit_line => fstab_option_editor("append","$(need_nosuid)","nosuid"),
edit_defaults => std_defs,
create => "true";
"$(Fstab)"
comment => "delete suid option",
edit_line => fstab_option_editor("delete","$(need_nosuid)","suid"),
edit_defaults => std_defs,
create => "true";
"$(Fstab)"
comment => "add log option",
edit_line => fstab_option_editor("append","$(need_logopt)","log"),
edit_defaults => std_defs,
create => "true";
"$(Fstab)"
comment => "remove delaylog option",
edit_line => fstab_option_editor("delete","$(need_logopt)","delaylog"),# "$(fs_ent[2]) mount_options_tmp [$(mount_options_tmp)]";
"$(fs_ent[2]) mount_options_new [$(mount_options_new)]";
"$(fs_ent[2]) mount_options_final [$(mount_options)]";
"Remount needed: $(mount) $(fs_type) $(fs_ent[3]) -o $(mount_options) $(fs_ent[1]) $(fs_ent[2])"cat fstab
/dev/cciss/c0d0p1 /boot ext3 defaults,nosuid 1 2
/dev/cciss/c0d0p2 swap swap defaults 0 0
/dev/vg00/lvol1 / ext3 defaults,acl 1 1
/dev/vg00/lvol2 /home ext3 defaults,nosuid 1 2
/dev/vg00/lvol4 /usr ext3 defaults 1 2
/dev/vg00/lvol5 /var ext3 defaults 1 2
/dev/vg00/lvol6 /opt ext3 defaults 1 2
/dev/vg00/lvol20 /u06 ext3 defaults,nosuid 1 2
/dev/vg00/lvol50 /var/log/audit ext4 nosuid,noatime,barrier=0 1 2
/dev/vg01/lvol1 /pre_release ext4 suid,noatime,barrier=0 1 2
/dev/vg01/lvol2 /releases ext4 noatime,barrier=0 1 2
/dev/vg01/lvol3 /opt/oracle ext4 noatime,barrier=0 1 2
/dev/vg01/lvol4 /usr/local/cisco ext4 nosuid,noatime,barrier=0 1 2
/dev/vg02/lvol1 /stage ext4 nosuid,noatime,barrier=0 1 2
/dev/vg02/lvol2 /exports/jboss ext4 nosuid,noatime,barrier=0 1 2
/dev/vg02/lvol3 /exports/ppm ext4 nosuid,noatime,barrier=0 1 2
/dev/vg02/lvol4 /exports/st ext4 nosuid,noatime,barrier=0 1 2
/dev/vg02/lvol5 /exports/sysadmin ext4 nosuid,noatime,barrier=0 1 2
/dev/vg02/lvol6 /restore ext4 noatime,barrier=0,nosuid 1 2
/dev/vg03/lvol1 /u01 ext4 nosuid,noatime,barrier=0 1 2
/dev/vg03/lvol2 /u02 ext4 nosuid,noatime,barrier=0 1 2
/dev/vg03/lvol3 /u03 ext4 nosuid,noatime,barrier=0 1 2
/dev/vg03/lvol4 /u04 ext4 nosuid,noatime,barrier=0 1 2
/dev/vg03/lvol5 /u05 ext4 nosuid,noatime,barrier=0 1 2
#/dev/vg03/lvol6 /u06 ext4 nosuid,noatime,barrier=0 1 2
/dev/vg03/lvol7 /u07 ext4 nosuid,noatime,barrier=0 1 2
devpts /dev/pts devpts gid=5,mode=620 0 0
proc /proc proc defaults 0 0
sysfs /sys sysfs defaults 0 0
tmpfs /dev/shm tmpfs defaults 0 0
tmpfs /tmp tmpfs size=3G,nr_inodes=10k,mode=1777 0 0
cf-agent -KIb fstab -Ddebug -f ./fstab.cf
2014-01-21T09:42:52-0600 info: Using command line specified bundlesequence
2014-01-21T09:42:52-0600 notice: R: /pre_release mount_options_old [suid]
2014-01-21T09:42:52-0600 notice: R: /pre_release mount_options_old [noatime]
2014-01-21T09:42:52-0600 notice: R: /pre_release mount_options_old [barrier=0]
2014-01-21T09:42:52-0600 notice: R: /pre_release mount_options_new [remount]
2014-01-21T09:42:52-0600 notice: R: /pre_release mount_options_new [noatime]
2014-01-21T09:42:52-0600 notice: R: /pre_release mount_options_new [barrier=0]
2014-01-21T09:42:52-0600 notice: R: /pre_release mount_options_new [nosuid]
2014-01-21T09:42:52-0600 notice: R: /pre_release mount_options [remount,noatime,barrier=0,nosuid]
2014-01-21T09:42:52-0600 notice: R: Remount needed: /bin/mount -t ext4 -o remount,noatime,barrier=0,nosuid /dev/vg01/lvol1 /pre_release
2014-01-21T09:42:52-0600 notice: R: /releases mount_options_old [noatime]
2014-01-21T09:42:52-0600 notice: R: /releases mount_options_old [barrier=0]
2014-01-21T09:42:52-0600 notice: R: /releases mount_options_new [remount]
2014-01-21T09:42:52-0600 notice: R: /releases mount_options_new [noatime]
2014-01-21T09:42:52-0600 notice: R: /releases mount_options_new [barrier=0]
2014-01-21T09:42:52-0600 notice: R: /releases mount_options_new [nosuid]
2014-01-21T09:42:52-0600 notice: R: /releases mount_options [remount,noatime,barrier=0,nosuid]
2014-01-21T09:42:52-0600 notice: R: Remount needed: /bin/mount -t ext4 -o remount,noatime,barrier=0,nosuid /dev/vg01/lvol2 /releases
Ted Zlatanov
Jan 22, 2014, 12:37:01 PM1/22/14
to help-c...@googlegroups.com
On Tue, 21 Jan 2014 08:11:14 -0800 (PST) Beto <bwi...@gmail.com> wrote:
B> On Monday, January 20, 2014 9:11:27 AM UTC-6, Ted Zlatanov wrote:
>>
>> On Mon, 20 Jan 2014 04:57:24 -0800 (PST) Beto <bwi...@gmail.com<javascript:>>
B> Is this what you had in mind?
Yes. With a little work it could go into a new lib/3.[56]/fstab.cf, not
included by default but quite useful. If you make it require 3.6, you
can shorten the code even more.
Ted
B> On Monday, January 20, 2014 9:11:27 AM UTC-6, Ted Zlatanov wrote:
>>
>> On Mon, 20 Jan 2014 04:57:24 -0800 (PST) Beto <bwi...@gmail.com<javascript:>>
>> wrote:
>>
>> Beto, if you want to compare the two and maybe merge them, I can add that
>> to the stdlib. I like your
>> approach :)
>> ...
B> Actually, it can be reworked to use fstab_option_editor as is, as below.
>>
>> Beto, if you want to compare the two and maybe merge them, I can add that
>> to the stdlib. I like your
>> approach :)
>> ...
B> Is this what you had in mind?
Yes. With a little work it could go into a new lib/3.[56]/fstab.cf, not
included by default but quite useful. If you make it require 3.6, you
can shorten the code even more.
Ted
Beto
Jan 22, 2014, 1:26:30 PM1/22/14
to help-c...@googlegroups.com
On Wednesday, January 22, 2014 11:37:01 AM UTC-6, Ted Zlatanov wrote:
Yes. With a little work it could go into a new lib/3.[56]/fstab.cf, not
included by default but quite useful. If you make it require 3.6, you
can shorten the code even more.
Ted
Well, although I thought the new bundle was working, it doesn't update fstab for some reason. It does do the remounts, as shown in the debug output. I'm not sure where the issue is so I reverted back to the original version (posted above) for the time being. Do you see anything obviously wrong with the updated version that would cause it to skip the fstab edits?
Ted Zlatanov
Jan 23, 2014, 10:03:54 AM1/23/14
to help-c...@googlegroups.com
On Wed, 22 Jan 2014 10:26:30 -0800 (PST) Beto <bwi...@gmail.com> wrote:
B> On Wednesday, January 22, 2014 11:37:01 AM UTC-6, Ted Zlatanov wrote:
>>
>> Yes. With a little work it could go into a new lib/3.[56]/fstab.cf, not
>> included by default but quite useful. If you make it require 3.6, you
>> can shorten the code even more.
>>
B> Well, although I thought the new bundle was working, it doesn't update
B> fstab for some reason. It does do the remounts, as shown in the debug
B> output. I'm not sure where the issue is so I reverted back to the original
B> version (posted above) for the time being. Do you see anything obviously
B> wrong with the updated version that would cause it to skip the fstab edits?
No, this will require some work to debug, sorry. If you want to
formulate a masterfiles.git pull request for lib/3.6/fstab.cf, I can
write the acceptance tests and figure out what's broken.
Ted
B> On Wednesday, January 22, 2014 11:37:01 AM UTC-6, Ted Zlatanov wrote:
>>
>> Yes. With a little work it could go into a new lib/3.[56]/fstab.cf, not
>> included by default but quite useful. If you make it require 3.6, you
>> can shorten the code even more.
>>
B> fstab for some reason. It does do the remounts, as shown in the debug
B> output. I'm not sure where the issue is so I reverted back to the original
B> version (posted above) for the time being. Do you see anything obviously
B> wrong with the updated version that would cause it to skip the fstab edits?
No, this will require some work to debug, sorry. If you want to
formulate a masterfiles.git pull request for lib/3.6/fstab.cf, I can
write the acceptance tests and figure out what's broken.
Ted
Reply all
Reply to author
Forward
0 new messages