starred/hardening
1
0
Fork 0
mirror of https://github.com/konstruktoid/hardening.git synced 2026-04-25 16:55:53 +03:00
Code Issues 6 Projects Releases 4 Packages Wiki Activity

[GH-ISSUE #81] 08_fstab new /etc/fstab missing mounts #38

New issue
Closed
opened 2026-03-03 13:58:36 +03:00 by kerem · 5 comments
kerem commented 2026-03-03 13:58:36 +03:00
Owner
Copy link

Originally created by @JtheDBA on GitHub (Jul 25, 2020).
Original GitHub issue: https://github.com/konstruktoid/hardening/issues/81

Originally assigned to: @konstruktoid on GitHub.

Describe the bug
Running the script results in an /etc/fstab missing /var/log, /var/log/audit mount points in /etc/fstab

To Reproduce
Run the script

The script is grep'ping for the expressions for /var/log and /var/log/audit with a "0 0" after the "defaults" and modifying to secure. Since it is grep'ping from the source /etc/fstab to the temporary fstab and not making the match the mounts are missing when the final /etc/fstab is in place (for example if /var/log was mounted with defaults 0 2).

Expected behavior
The mount points being hardened if needed.

Technically, looking for defaults on it's own would also break /etc/fstab for anyone using BTRFS subvolumes.

I will volunteer time to code an alternative 08_fstab script for review.

System (lsb_release -a):
Ubuntu 20.04 mini AMD 64 release with "basic server" package installed

Additional context
fstab Before:
/dev/mapper/root_vg-lv_root / ext4 errors=remount-ro 0 1
/dev/mapper/root_vg-lv_home /home ext4 defaults 0 2
/dev/mapper/root_vg-lv_var /var ext4 defaults 0 2
/dev/mapper/root_vg-lv_vlog /var/log ext4 defaults 0 2
/dev/mapper/root_vg-lv_vlaudit /var/log/audit ext4 defaults 0 2
/dev/mapper/temp_vg-lv_swap none swap sw 0 0

fstab After:
/dev/mapper/root_vg-lv_root / ext4 errors=remount-ro 0 1
/dev/mapper/root_vg-lv_var /var ext4 defaults 0 2
/dev/mapper/temp_vg-lv_swap none swap sw 0 0
none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0
none /dev/shm tmpfs rw,noexec,nosuid,nodev 0 0
none /proc proc rw,nosuid,nodev,noexec,relatime,hidepid=2 0 0

Originally created by @JtheDBA on GitHub (Jul 25, 2020). Original GitHub issue: https://github.com/konstruktoid/hardening/issues/81 Originally assigned to: @konstruktoid on GitHub. **Describe the bug** Running the script results in an /etc/fstab missing /var/log, /var/log/audit mount points in /etc/fstab **To Reproduce** Run the script The script is grep'ping for the expressions for /var/log and /var/log/audit with a "0 0" after the "defaults" and modifying to secure. Since it is grep'ping from the source /etc/fstab to the temporary fstab and not making the match the mounts are missing when the final /etc/fstab is in place (for example if /var/log was mounted with defaults 0 2). **Expected behavior** The mount points being hardened if needed. Technically, looking for defaults on it's own would also break /etc/fstab for anyone using BTRFS subvolumes. I will volunteer time to code an alternative `08_fstab` script for review. **System (lsb_release -a):** Ubuntu 20.04 mini AMD 64 release with "basic server" package installed **Additional context** fstab Before: /dev/mapper/root_vg-lv_root / ext4 errors=remount-ro 0 1 /dev/mapper/root_vg-lv_home /home ext4 defaults 0 2 /dev/mapper/root_vg-lv_var /var ext4 defaults 0 2 /dev/mapper/root_vg-lv_vlog /var/log ext4 defaults 0 2 /dev/mapper/root_vg-lv_vlaudit /var/log/audit ext4 defaults 0 2 /dev/mapper/temp_vg-lv_swap none swap sw 0 0 fstab After: /dev/mapper/root_vg-lv_root / ext4 errors=remount-ro 0 1 /dev/mapper/root_vg-lv_var /var ext4 defaults 0 2 /dev/mapper/temp_vg-lv_swap none swap sw 0 0 none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0 none /dev/shm tmpfs rw,noexec,nosuid,nodev 0 0 none /proc proc rw,nosuid,nodev,noexec,relatime,hidepid=2 0 0
kerem 2026-03-03 13:58:36 +03:00
  • closed this issue
  • added the
    Stale
         label
kerem commented 2026-03-03 13:58:37 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Jul 25, 2020):

Hi @JtheDBA, thanks for opening this issue and I'm looking forward to the PR.

<!-- gh-comment-id:663906702 --> @konstruktoid commented on GitHub (Jul 25, 2020): Hi @JtheDBA, thanks for opening this issue and I'm looking forward to the PR.
kerem commented 2026-03-03 13:58:37 +03:00
Author
Owner
Copy link

@JtheDBA commented on GitHub (Aug 3, 2020):

PR created.

<!-- gh-comment-id:668289864 --> @JtheDBA commented on GitHub (Aug 3, 2020): PR created.
kerem commented 2026-03-03 13:58:37 +03:00
Author
Owner
Copy link

@JtheDBA commented on GitHub (Aug 3, 2020):

Just curious on thoughts of /tmp vs /var/tmp ... Most best practices recommend keeping /var/tmp persistent between reboots instead of linking to /tmp on tmpfs but in this model that would require a separate mount for /var/tmp and in addition to changes to 08_fstab a change to 10_aptget would be needed for the Pre-Invoke and Post-Invoke on /var/tmp.

<!-- gh-comment-id:668291202 --> @JtheDBA commented on GitHub (Aug 3, 2020): Just curious on thoughts of /tmp vs /var/tmp ... Most best practices recommend keeping /var/tmp persistent between reboots instead of linking to /tmp on tmpfs but in this model that would require a separate mount for /var/tmp and in addition to changes to 08_fstab a change to 10_aptget would be needed for the Pre-Invoke and Post-Invoke on /var/tmp.
kerem commented 2026-03-03 13:58:37 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Aug 4, 2020):

Thanks for the PR, I'll give it a few test runs before I merge.

You're right about /var/tmp, I was on my way to fix that soon(tm).
https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s15.html: "Files and directories located in /var/tmp must not be deleted when the system is booted."

<!-- gh-comment-id:668813801 --> @konstruktoid commented on GitHub (Aug 4, 2020): Thanks for the PR, I'll give it a few test runs before I merge. You're right about `/var/tmp`, I was on my way to fix that soon(tm). https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s15.html: "Files and directories located in /var/tmp must not be deleted when the system is booted."
kerem commented 2026-03-03 13:58:38 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Sep 4, 2020):

This issue is stale because it has been open 30 days with no activity, without any activity this will be closed in 5 days.

<!-- gh-comment-id:686832072 --> @github-actions[bot] commented on GitHub (Sep 4, 2020): This issue is stale because it has been open 30 days with no activity, without any activity this will be closed in 5 days.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
renovate/github-codeql-action-4.x
v2.2.0
v2.1.0
v2.0.0
v1.0.0
v1.0
Labels
Clear labels   
Stale

   
bug

   
bug

   
bug

   
pull-request

Mirrored from GitHub Pull Request

No labels
Stale
bug
bug
bug
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hardening#38
No description provided.