Re: read-only file systems

From: Silvex Security Team (security@ns1.silvex.com)
Date: 09/11/01


From: Silvex Security Team <security@ns1.silvex.com>
Message-Id: <200109110820.f8B8KarI011460@ns1.silvex.com>
Subject: Re: read-only file systems
To: HeathFla@reciprocal.com (Heather Flanagan)
Date: Tue, 11 Sep 2001 01:20:36 -0700 (PDT)

On 'touchy' solaris/linux systems (firewalls, servers) I always have

/ rw,suid
/usr ro,suid
/var rw,nosuid (noexec on linux)
/usr/local/bin ro,suid
/opt ro,suid
/tmp rw,nosuid (noexec on linux)
/home rw,nosuid (noexec on linux)

>
> I know /usr can be comfortably turned in to a read-only file system for
> particularly hardened systems - or at least I can't think of any reason why
> not. Can the same be done with / on Solaris 8?
>
> -heather f.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Heather Flanagan, GSEC UNIX Systems Administrator
> Reciprocal, Inc. (919) 462-4642
>