Managing Systems and Workgroups: A Guide for HP-UX System Administrators

Administering a System: Managing System Security

Guidelines for Running a Secure System

Chapter 8 779

• Auditing is not enabled automatically when you have recovered the

system. Be sure to turn auditing on.

Guidelines for Mounting and Unmounting a File

System

The mount command enables you to attach removable ﬁle systems and

disk or disk partitions to an existing ﬁle tree. The mount command uses a

ﬁle called /etc/fstab, which contains a list of available ﬁle systems and

their corresponding mount positions. The /etc/fstab ﬁle should be

writable only by root, but readable by others. Refer to “Managing File

Systems” on page 602 for more information on mounting ﬁle systems.

Observe the following precautions when mounting a ﬁle system or disk:

• Create a mount point directory (such as /mnt) on which to mount a

new ﬁle system. Never mount a ﬁle system in a directory that

already contains ﬁles, because those ﬁles will become inaccessible.

The mount point of a mounted ﬁle system acquires the permissions

and ownership of the ﬁle system’s root directory.

• Use base mode permissions and access control list entries on disk

path names to control access to disks.

• Use the -r option of the mount command to mount the ﬁle system as

read-only. Physically write-protected ﬁle systems must be mounted

this way.

• When mounting a new or foreign ﬁle system, assume that the

medium is insecure.

❏ Create a directory restricted to root, by setting its permissions

at 700 (drwx------).

# mkdir /securefile

# chmod 700 /securefile

❏ Run the fsck program to verify that the ﬁle system is not

technically corrupted.

Make sure that your PATH environment variable does not include

“.” (the current directory); otherwise, you might run a Trojan

Horse version of ls or some similar command while examining

the new ﬁle system.