Scripting partioning on AWS

IRJ

So we want to create 5 or 6 separate partitions for directories like /home , /var , /var/log , etc

In order to achieve this automatically in aws you can provision ebs volumes, but it takes like 15-20 mins. Which is well over the 2-3 minute build time we'd like to have.

A workaround could be creating partition files and mounting them. This is pretty much instant, and does satisify the requirement. However, you dont get the benefit of actual separated partitions and disk space is used for full parition. For example if you create a 5GB partition, you create a 5GB file when you might only be storing 500MB. On the flip side, you can't set too small because you cant be running out of disk space.

Anybody else handling this kind of challenge? @stacksofplates @Obsolesce

IRJ

If I were to fill up a 5GB /var file partition it should not be able to crash the root disk. Correct?

stacksofplates

@IRJ said in Scripting partioning on AWS:

If I were to fill up a 5GB /var file partition it should not be able to crash the root disk. Correct?

Yeah that's correct.

stacksofplates

I haven't had to deal with this but let me look around and see what I can figure out.

We did the separate volumes, but it was on internal stuff so it was easy to add the volumes.

stacksofplates

It takes 15 mins to get the initial EBS volume? That's crazy.

travisdh1

@IRJ Let's take a step back here. Why are the separate partitions being used?

A separate /home for a file server makes a lot of sense. Separating out /var and /var/log is a bit odd (unless it's a dedicated rsyslog, greylog, or ELK stack).

stacksofplates

@travisdh1 said in Scripting partioning on AWS:

@IRJ Let's take a step back here. Why are the separate partitions being used?

A separate /home for a file server makes a lot of sense. Separating out /var and /var/log is a bit odd (unless it's a dedicated rsyslog, greylog, or ELK stack).

Some places require it. It's in case things like /var/log fill up. DoD requires separate volumes for all of that. It's also for security, like setting noexec on /tmp.

travisdh1

@stacksofplates said in Scripting partioning on AWS:

@travisdh1 said in Scripting partioning on AWS:

@IRJ Let's take a step back here. Why are the separate partitions being used?

A separate /home for a file server makes a lot of sense. Separating out /var and /var/log is a bit odd (unless it's a dedicated rsyslog, greylog, or ELK stack).

Some places require it. It's in case things like /var/log fill up. DoD requires separate volumes for all of that. It's also for security, like setting noexec on /tmp.

Right, which is why I'm asking and not just saying that this is dumb.

stacksofplates

We had to go as far as separating /var/log and /var/log/audit to keep auditd messages separate.

IRJ

@travisdh1 said in Scripting partioning on AWS:

@IRJ Let's take a step back here. Why are the separate partitions being used?

A separate /home for a file server makes a lot of sense. Separating out /var and /var/log is a bit odd (unless it's a dedicated rsyslog, greylog, or ELK stack).

CIS compliance requires it.

IRJ

@stacksofplates said in Scripting partioning on AWS:

We had to go as far as separating /var/log and /var/log/audit to keep auditd messages separate.

That's level 2. Fortunately I only need level 1 which is still annoying

IRJ

For anyone interested here are the CIS requirements.

https://secscan.acron.pl/ubuntu1604/1/1/2
https://secscan.acron.pl/ubuntu1604/1/1/6
https://secscan.acron.pl/ubuntu1604/1/1/7
https://secscan.acron.pl/ubuntu1604/1/1/12

Note: we have Ubuntu 18.04 , but these requirements are the same.

travisdh1

@IRJ said in Scripting partioning on AWS:

For anyone interested here are the CIS requirements.

https://secscan.acron.pl/ubuntu1604/1/1/2
https://secscan.acron.pl/ubuntu1604/1/1/6
https://secscan.acron.pl/ubuntu1604/1/1/7
https://secscan.acron.pl/ubuntu1604/1/1/12

Note: we have Ubuntu 18.04 , but these requirements are the same.

Out of the 4 you linked to here, only adding nodev to /tmp even makes sense

Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.

Do they also have you remove LVM and all the tooling for LVM?

I know, DoD, can't question the system, yadda, yadda. Still doesn't mean I don't call out stupid when I see it.

travisdh1

@IRJ said in Scripting partioning on AWS:

For anyone interested here are the CIS requirements.

https://secscan.acron.pl/ubuntu1604/1/1/2
https://secscan.acron.pl/ubuntu1604/1/1/6
https://secscan.acron.pl/ubuntu1604/1/1/7
https://secscan.acron.pl/ubuntu1604/1/1/12

Note: we have Ubuntu 18.04 , but these requirements are the same.

Do I recall that you don't have a state management system like Salt or Ansible running correctly? That would be the easiest way to handle this.

If not, it should also be easy to script this in your favorite shell.

stacksofplates

@travisdh1 said in Scripting partioning on AWS:

@IRJ said in Scripting partioning on AWS:

For anyone interested here are the CIS requirements.

https://secscan.acron.pl/ubuntu1604/1/1/2
https://secscan.acron.pl/ubuntu1604/1/1/6
https://secscan.acron.pl/ubuntu1604/1/1/7
https://secscan.acron.pl/ubuntu1604/1/1/12

Note: we have Ubuntu 18.04 , but these requirements are the same.

Out of the 4 you linked to here, only adding nodev to /tmp even makes sense

Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.

I know, DoD, can't question the system, yadda, yadda. Still doesn't mean I don't call out stupid when I see it.

I can see value to /var/log. You don't want runaway logs to fill up /. Separating /var and /var/log is much less useful. I can see /home too if it's an interactive system. If not then it's not that useful. Setting nosuid I think is valuable for /tmp also to help ensure something can't be elevated past normal privileges.

Do they also have you remove LVM and all the tooling for LVM?

We didn't have to for DISA STIGs, that's how we created the volumes.

IRJ

@stacksofplates said in Scripting partioning on AWS:

@travisdh1 said in Scripting partioning on AWS:

@IRJ said in Scripting partioning on AWS:

For anyone interested here are the CIS requirements.

https://secscan.acron.pl/ubuntu1604/1/1/2
https://secscan.acron.pl/ubuntu1604/1/1/6
https://secscan.acron.pl/ubuntu1604/1/1/7
https://secscan.acron.pl/ubuntu1604/1/1/12

Note: we have Ubuntu 18.04 , but these requirements are the same.

Out of the 4 you linked to here, only adding nodev to /tmp even makes sense

Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.

I know, DoD, can't question the system, yadda, yadda. Still doesn't mean I don't call out stupid when I see it.

I can see value to /var/log. You don't want runaway logs to fill up /. Separating /var and /var/log is much less useful. I can see /home too if it's an interactive system. If not then it's not that useful. Setting nosuid I think is valuable for /tmp also to help insure something can't be elevated past normal privileges.

Do they also have you remove LVM and all the tooling for LVM?

We didn't have to for DISA STIGs, that's how we created the volumes.

Yes we are the same. It seems like we are following the same compliance

stacksofplates

@IRJ said in Scripting partioning on AWS:

@stacksofplates said in Scripting partioning on AWS:

@travisdh1 said in Scripting partioning on AWS:

@IRJ said in Scripting partioning on AWS:

For anyone interested here are the CIS requirements.

https://secscan.acron.pl/ubuntu1604/1/1/2
https://secscan.acron.pl/ubuntu1604/1/1/6
https://secscan.acron.pl/ubuntu1604/1/1/7
https://secscan.acron.pl/ubuntu1604/1/1/12

Note: we have Ubuntu 18.04 , but these requirements are the same.

Out of the 4 you linked to here, only adding nodev to /tmp even makes sense

Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.

I know, DoD, can't question the system, yadda, yadda. Still doesn't mean I don't call out stupid when I see it.

I can see value to /var/log. You don't want runaway logs to fill up /. Separating /var and /var/log is much less useful. I can see /home too if it's an interactive system. If not then it's not that useful. Setting nosuid I think is valuable for /tmp also to help insure something can't be elevated past normal privileges.

Do they also have you remove LVM and all the tooling for LVM?

We didn't have to for DISA STIGs, that's how we created the volumes.

Yes we are the same. It seems like we are following the same compliance

Used to. Thankfully I'm out of that.

IRJ

@stacksofplates do you happen to know what sizes were used for the partitions?

IRJ

Found this chart on a somebody's project on github. Seems like a reasonable place to start?

Obsolesce

@IRJ said in Scripting partioning on AWS:

@stacksofplates do you happen to know what sizes were used for the partitions?

How much disk usage is currently in use in those areas?