problems during security implementation

problems during security implementation

Post by Darren Robertso » Sat, 06 Oct 2001 17:51:26



Folks. I have done something silly during my implementation of the SANS
security guide.

I am testing the above on an Ultra 5 (Solaris 8) to find out how our
software would behave on a secure server.

I have been able to find my mistake. I edited the vfstab so that the
following partitions mount with the following options:

/ remount,logging
/usr ro
/var nosuid,logging
/opt nosuid,logging

I have however left in a trailing "-" in the / filesystem. While booting the
OS tell me that there are too many options for the root partition. Easy to
fix I though however login is as root (even single user mode) doesn't allow
me to edit vfstab - read only file system.

There are other problems but this is the one that is concerning me the most
at the moment, can anyone help by telling me what I can to do sort this out?
do I boot from cdrom or re-install and start again?

TIA

D.

--
__________
Darren Robertson
Technical Support
ORC Software
__________
Tel: +44 (0)20 7942 0999
Fax: +44 (0)20 7942 0940
www.orcsoftware.com
__________
Orc Software e-mail Disclaimer.
If you have received this e-mail in error or wish to read our e-mail
disclaimer statement and monitoring policy, please refer to
http://www.orcsoftware.com/disclaimer or contact the sender.

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.282 / Virus Database: 150 - Release Date: 25/09/2001

 
 
 

problems during security implementation

Post by Nicolas Iseli » Sat, 06 Oct 2001 18:51:49



> I have however left in a trailing "-" in the / filesystem. While booting the
> OS tell me that there are too many options for the root partition. Easy to
> fix I though however login is as root (even single user mode) doesn't allow
> me to edit vfstab - read only file system.

This is a common problem. It is the same problem as having forgotten the root
password: Simply boot from a CD-ROM, but do not start the real installation
but escape to the shell. You will have now a different 'root' filesystem. Mount
the 'real' root filesystem onto /mnt (e.g.) manually, do a 'cd /mnt/etc', then
vi your vfstab and reboot again.

Nicolas

 
 
 

problems during security implementation

Post by Andrew Gabri » Sat, 06 Oct 2001 19:46:20




Quote:>Folks. I have done something silly during my implementation of the SANS
>security guide.

>I am testing the above on an Ultra 5 (Solaris 8) to find out how our
>software would behave on a secure server.

>I have been able to find my mistake. I edited the vfstab so that the
>following partitions mount with the following options:

>/ remount,logging
>/usr ro
>/var nosuid,logging
>/opt nosuid,logging

>I have however left in a trailing "-" in the / filesystem. While booting the
>OS tell me that there are too many options for the root partition. Easy to
>fix I though however login is as root (even single user mode) doesn't allow
>me to edit vfstab - read only file system.

mount -o remount,rw /dev/dsk/whatever /

(You might not need the /dev/dsk/whatever - I'm not sure if that
can be obtained from /etc/mnttab at this stage.)

For Solaris releases before 8, you would also need the -m option
to prevent mount trying to write to /etc/mnttab (because it too
is read-only). However, /etc/mnttab is not a regular file from
Solaris 8 onwards, and this issue is gone.

Quote:>There are other problems but this is the one that is concerning me the most
>at the moment, can anyone help by telling me what I can to do sort this out?
>do I boot from cdrom or re-install and start again?

You could also boot from the cdrom (1 of 2), but rather than install,
you simply open a command window, mount the root filesystem on /mnt
(or /a) and edit the vfstab.

--
Andrew Gabriel
Consultant Software Engineer

 
 
 

problems during security implementation

Post by Mathew Kirsc » Sun, 07 Oct 2001 03:04:27



> I have however left in a trailing "-" in the / filesystem. While booting the
> OS tell me that there are too many options for the root partition. Easy to
> fix I though however login is as root (even single user mode) doesn't allow
> me to edit vfstab - read only file system.

"remount" is not a useful option in /etc/vfstab, either.

Quote:> There are other problems but this is the one that is concerning me the most
> at the moment, can anyone help by telling me what I can to do sort this out?

Boot from CDROM, mount the directory read/write manually, and fix the problem.

Quote:> do I boot from cdrom or re-install and start again?

AUGH! NO! Reinstall is how you fix problems with Microsoft software!
Occasionally you will find reinstallation is necessary on a UNIX system, like
when the entire system goes up in smoke because the networking guys hooked up
the building power directly to the 14,000V mains, but for almost all problems,
you will find that they can be easily repaired with some simple administration
techniques.